Upgraded to 10.4 last month from 9.5.4 to address the reported security issue.
Aside from the problems with email and FTP, apparently there was also an issue that disabled the password-protected directories on ALL sites server-wide.
I discovered this issue today and manually re-activated the password-protection for all these directories on all domains. I initially tried to think of a way to automate the process, but since the paths are unique to each site and some use custom paths while all use the "/plesk-stat" protected directory, I felt it would be safest to just manually reactivate the protected folders for each site.
Every single site on the server suffered from this bug - the "/plesk-stat" folder for every single site was visible to the world. To test it, simply open up any domain on your site with "/plesk-stat/webstat/" for the path as so:
http://example.com/plesk-stat/webstat/
If you're not prompted for a login, you've been bit by this bug.
The fix:
1) Login to your Plesk 10.x for Windows admin panel
2) Click "Subscriptions"
3) For each (domain) in the list
3a) Click the (domain)
3b) Click "Websites & Domains"
3c) Click "Password-protected Directories"
3d) For each (directory) in the list
3d1) Click the (directory)
3d2) Click "Directory Settings"
3d3) Click "OK"
3d4) Repeat for the next (directory)
3e) Repeat for the next (domain)
4) You're done: now test thoroughly.
Aside from the problems with email and FTP, apparently there was also an issue that disabled the password-protected directories on ALL sites server-wide.
I discovered this issue today and manually re-activated the password-protection for all these directories on all domains. I initially tried to think of a way to automate the process, but since the paths are unique to each site and some use custom paths while all use the "/plesk-stat" protected directory, I felt it would be safest to just manually reactivate the protected folders for each site.
Every single site on the server suffered from this bug - the "/plesk-stat" folder for every single site was visible to the world. To test it, simply open up any domain on your site with "/plesk-stat/webstat/" for the path as so:
http://example.com/plesk-stat/webstat/
If you're not prompted for a login, you've been bit by this bug.
The fix:
1) Login to your Plesk 10.x for Windows admin panel
2) Click "Subscriptions"
3) For each (domain) in the list
3a) Click the (domain)
3b) Click "Websites & Domains"
3c) Click "Password-protected Directories"
3d) For each (directory) in the list
3d1) Click the (directory)
3d2) Click "Directory Settings"
3d3) Click "OK"
3d4) Repeat for the next (directory)
3e) Repeat for the next (domain)
4) You're done: now test thoroughly.