Plesk Login Transmits credentials in cleartext

[Deoxymono]

Another PCI scan failing from Security Metrics:

-------------

Protocol: TCP | Port: 8880 | Program: cddbp-alt | Score: 4.0

Description: Web Server Uses Plain Text Authentication Forms

Synoposis: The remote web server might transmit credentials in cleartext.

Impact: The remote web server contains several HTML form fields containing an input of type 'password' which transmit their information to a remote web server in cleartext. An attacker eavesdropping the traffic between web browser and server may obtain logins and passwords of valid users.

Page: /login_up.php3
Destination page: /login_up.php3
Input name: passwd

Other references: CWE:522, CWE:523, CWE:718, CWE:724

Resolution: Make sure that every sensitive form transmits content over HTTPS. Risk Factor: Medium/ CVSS2 Base Score: 4.0 AV:N/AC:H/Au:N/C/I:N/A:N

-------------

Now this appears to be referencing the default login page for Plesk (login_up.php3). However it definitely uses HTTPS so I don't understand the problem here.

Any help anyone can provide with this issue would be greatly appreciated.

 

[Deoxymono]

I fixed this issue simply by blocking port 8880 through the Plesk firewall. It seems it is not needed unless you want to use the Plesk panel without https.