Resolved Mail 'application user' has access to WPT by default

[Kaspar]

Username:

TITLE

Mail 'application user' has access to WPT by default

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Any OS
Plesk 18.0.56

PROBLEM DESCRIPTION

When creating an emailaccount a Plesk 'application user' user is created too. The 'application user' has access to the WPT of the domain by default. Which poses a security risk.

STEPS TO REPRODUCE

1) Create domain, upon creation choose to install Wordpress
2) Create an email account for the domain
3) Log out of Plesk, login back again with credentials of mail user from step 2
4) Notice how user has access to the WPT and can modify settings

ACTUAL RESULT

Application users have access to WPT.

EXPECTED RESULT

Application users should not have access to WPT.

ANY ADDITIONAL INFORMATION

Could not reproduce issue on 18.0.54 server, but can on 18.0.56.

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[Peter Debik]

Thank you for reporting this, it will be tracked as PPS-15108.

 

[Peter Debik]

The issue has been confirmed, but for version 18.0.56 only. Tracking-IDs PPM-14172, PPP-62890. Workaround:
1) Backup /usr/local/psa/admin/plib/pm/Client.php to /usr/local/psa/admin/plib/pm/Client.php.bkp
2) Replace /usr/local/psa/admin/plib/pm/Client.php with the same file from version 18.0.55

 

[Peter Debik]

Resolved in Plesk 18.0.56 #2, published October 27th, 2023.

 

[mow]

2) Create an email account for the domain

by the way, I very much dislike that "Can be used to log in to Plesk" is checked by default. Giving a user more rights should be a conscious decision, not a forgotten default.