Facebook
Twitter
M
Mertz
Guest
I found a design element in Plesk 7.5 and 7.6 for Windows that could be exploited if discovered.
Observed behavior:
When Plesk creates a domain, it creates a catch-all address called '[email protected]' with the numbers being a random string. This mailbox is not visible from the Plesk interface and exists even if catch-alls are turned off for the domain. That's another gripe of mine but I digress..
The problem with this is that the password for this account is set the same as the username.
If someone could somehow discover the username for that catch-all account, they could log in and use the account to relay.
To reproduce:
Create a domain in Plesk.
Find the catch-all mailbox using the MailEnable MMC tool.
Log into ME Webmail and log in as the user. The password will be everything to the left of the '@' symbol.
Tested with:
Plesk 7.5 and 7.6 for Windows.
MailEnable Standard 1.92
MailEnable Professional 1.8x
MailEnable Enterprise 2.x
hMailServer 1.x
Work around:
In the Mailenable MMC, go into each domain and set the status of the mailbox to "Disabled" or "prevent user from authenticating. YMMV.
you can remove the catch-alls using the MailEnable catch-all removal utility (http://www.mailenable.com/utilities/addons/CatchallDisplay.ZIP) but this will only last until you have to run the Plesk Reconfigurator or mchk.exe again.
I have not been able to test a work-around in hMailServer.
I would normally just send this directly into SWSoft support but I want it to get fixed and I want everyone to be aware of it.
Observed behavior:
When Plesk creates a domain, it creates a catch-all address called '[email protected]' with the numbers being a random string. This mailbox is not visible from the Plesk interface and exists even if catch-alls are turned off for the domain. That's another gripe of mine but I digress..
The problem with this is that the password for this account is set the same as the username.
If someone could somehow discover the username for that catch-all account, they could log in and use the account to relay.
To reproduce:
Create a domain in Plesk.
Find the catch-all mailbox using the MailEnable MMC tool.
Log into ME Webmail and log in as the user. The password will be everything to the left of the '@' symbol.
Tested with:
Plesk 7.5 and 7.6 for Windows.
MailEnable Standard 1.92
MailEnable Professional 1.8x
MailEnable Enterprise 2.x
hMailServer 1.x
Work around:
In the Mailenable MMC, go into each domain and set the status of the mailbox to "Disabled" or "prevent user from authenticating. YMMV.
you can remove the catch-alls using the MailEnable catch-all removal utility (http://www.mailenable.com/utilities/addons/CatchallDisplay.ZIP) but this will only last until you have to run the Plesk Reconfigurator or mchk.exe again.
I have not been able to test a work-around in hMailServer.
I would normally just send this directly into SWSoft support but I want it to get fixed and I want everyone to be aware of it.
