• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Plesk Login Transmits credentials in cleartext

D

Deoxymono

New Pleskian
Another PCI scan failing from Security Metrics:

-------------

Protocol: TCP | Port: 8880 | Program: cddbp-alt | Score: 4.0

Description: Web Server Uses Plain Text Authentication Forms

Synoposis: The remote web server might transmit credentials in cleartext.

Impact: The remote web server contains several HTML form fields containing an input of type 'password' which transmit their information to a remote web server in cleartext. An attacker eavesdropping the traffic between web browser and server may obtain logins and passwords of valid users.

Page: /login_up.php3
Destination page: /login_up.php3
Input name: passwd

Other references: CWE:522, CWE:523, CWE:718, CWE:724

Resolution: Make sure that every sensitive form transmits content over HTTPS. Risk Factor: Medium/ CVSS2 Base Score: 4.0 AV:N/AC:H/Au:N/C/I:N/A:N

-------------

Now this appears to be referencing the default login page for Plesk (login_up.php3). However it definitely uses HTTPS so I don't understand the problem here.

Any help anyone can provide with this issue would be greatly appreciated.
 
I fixed this issue simply by blocking port 8880 through the Plesk firewall. It seems it is not needed unless you want to use the Plesk panel without https.
 
You must log in or register to reply here.

Similar threads

J
How to deploy Plesk Onyx on Amazon EC2
Replies
0
Views
4K
joerg
J
A
Parallels Plesk Pannel 11.0.9 Horde webmail vulnerability?
Replies
4
Views
3K
_Alberto_
A
J
SSL server accepts weak ciphers on port 12443
Replies
2
Views
4K
KirkM
KirkM
E
PCI Compliance - Plesk 11 Login script failing
Replies
5
Views
4K
RalphP
R
D
SSL/TLS Protocol Vulnerability PCI Scan
Replies
8
Views
20K
RalphP
R
Back
Top