• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

MAJOR security fix released for Plesk 9 (and 10)

HostaHost

Regular Pleskian
Hope others in the forum find this post before they get hacked. Parallels has sent no notice about this to Plesk users but a microupdate #24 was released three days ago to fix what is described as "major security fixes" to 9.5.4:

http://kb.parallels.com/114891

There appear to be two public-facing php files (index.php, login_up.php) that are replaced and eight other Plesk admin-related files replaced.

v10 users should verify that they got microupdate 43 and 44 too, hopefully automated:

http://download1.parallels.com/Ples...el-10-linux-updates-release-notes.html#104444
 
Just to confirm you're actually serious, are you saying the company's current official method of letting its customers know there's a MAJOR security issue is RSS and twitter? You realize that is in direct contrast to what your support people tell the customers right? And if that's the case, you never let your customers know a change in the method in which you announce security updates had occurred. I'm really getting sick of this.
 
To expand on that, this is the specific text that has been sent to me by two different people in support and one account manager over the span of two months earlier this year:

News about such patches are always sent by mailing lists. Please subscribe to them in order to get all the information about latest updates: http://www.parallels.com/mailinglists/subscribe/

Notice it says "always". It does not say "sometimes we'll send via this mailing list, sometimes we'll post it on twitter, sometimes we might do an RSS update, or maybe we will issue a CVE five months after the issue, or perhaps we just won't tell you." It says always, so either they lied to me and it's not always, or someone changed the policy and didn't bother to tell those of us who pay for your product.
 
Why you are not subscribed to RSS feed, which is on the Plesk main page?
Why you are not follower of Plesk Service Team twitter?
Why you do not read forum announcements?

I have stated twice now that I was told multiple times by support and account staff at your company that the one and only official method of receiving notices of security updates is by the mailing list, that I already quoted for you. So are they lying to me, are you lying to me or does no one there have any idea how security notices are sent? Please go on the record right now and tell me that with no question, security updates are no longer sent via the mailing list and that they are only sent via a twitter account. If that is the case then I will inform your support department and our account manager that they are both completely incorrect. If that is not the case, then you are incorrect AND someone screwed up by not sending any of these updates via the mailing list.
 
Last edited:
I strongly recommend you use RSS feed channel as most comprehensive and authoritative source of information on all matters relating to the Plesk.
Also all news from RSS feed automatically duplicated in our twitter and Facebook.
 
Does anyone know what the major security issue is exactly ?

When we fix well known security issue we publish corresponding CVE. When we fix security issue which was found with help of internal audit we can't provide any information because it is security question and we do not want to give any hint to intruders. But we provide indicator for customers - Minor, Major or Critical security update. I think it is enough for most customers for making decision about importance of this security MU.
 
Just wanted to refresh the thread for anyone in the Plesk 9 forum to see; a new critical security update came out yesterday. It was not emailed yet again. I noticed it did get posted to the service team twitter feed. I do find it pretty funny that there are only 17 people following that twitter feed yet Parallels feels it is an official method of notification. Why email your customers about security issues when you can post them to a twitter feed no one is following....
 
Just wanted to refresh the thread for anyone in the Plesk 9 forum to see; a new critical security update came out yesterday. It was not emailed yet again. I noticed it did get posted to the service team twitter feed. I do find it pretty funny that there are only 17 people following that twitter feed yet Parallels feels it is an official method of notification. Why email your customers about security issues when you can post them to a twitter feed no one is following....

You are wrong. We have 163 followers but not 17.
And official method of notification is RSS feed. All initial notifications in RSS are synchronized automatically to twitter and Facebook.
So use RSS feed as our official channel (~3500 subscribers).
 
Last edited:
Ah, looks like 164 now, congrats on picking up an additional subscriber since yesterday.

So you honestly think that the majority of your customers currently subscribe to your RSS feed and/or twitter? If you do not think that, which I can't imagine anyone would, you are doing a disservice to your customers by not emailing them security notices. You have their email addresses, there is simply no justifiable reason to not email them. You just posted a remotely exploitable vulnerability; what possible reason do you have for not putting forth the effort to notify users of your software in every way possible to help prevent them from being exploited?!
 

Attachments

  • Clipboard01.jpg
    Clipboard01.jpg
    28.2 KB · Views: 4
Back
Top