1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Plesk Login Transmits credentials in cleartext

Discussion in 'Plesk 10.x for Linux Issues, Fixes, How-To' started by Deoxymono, Sep 20, 2012.

  1. Deoxymono

    Deoxymono New Pleskian

    13
    60%
    Joined:
    Jun 10, 2011
    Messages:
    14
    Likes Received:
    0
    Another PCI scan failing from Security Metrics:

    -------------

    Protocol: TCP | Port: 8880 | Program: cddbp-alt | Score: 4.0

    Description: Web Server Uses Plain Text Authentication Forms

    Synoposis: The remote web server might transmit credentials in cleartext.

    Impact: The remote web server contains several HTML form fields containing an input of type 'password' which transmit their information to a remote web server in cleartext. An attacker eavesdropping the traffic between web browser and server may obtain logins and passwords of valid users.

    Page: /login_up.php3
    Destination page: /login_up.php3
    Input name: passwd

    Other references: CWE:522, CWE:523, CWE:718, CWE:724

    Resolution: Make sure that every sensitive form transmits content over HTTPS. Risk Factor: Medium/ CVSS2 Base Score: 4.0 AV:N/AC:H/Au:N/C/I:N/A:N

    -------------

    Now this appears to be referencing the default login page for Plesk (login_up.php3). However it definitely uses HTTPS so I don't understand the problem here.

    Any help anyone can provide with this issue would be greatly appreciated.
     
  2. Deoxymono

    Deoxymono New Pleskian

    13
    60%
    Joined:
    Jun 10, 2011
    Messages:
    14
    Likes Received:
    0
    I fixed this issue simply by blocking port 8880 through the Plesk firewall. It seems it is not needed unless you want to use the Plesk panel without https.
     
Loading...