• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

plesk security flaw

S

serial-thrilla

Guest
so here's a lil something i found:
(accounts passwords have been modified for anonymity)

i have two different domains in plesk, for one a create an email account roger and assign password r1234.

for the second i create an account roger and assign the password r1234.

plesk then claims that this password is too easy and makes me put in a different one.

i put r2345 and it goes through.

i go back to the other domain's roger account and try to change the password to r2345 and plesk gives me the easy password error.

plesk is lying to me!!! ... well ok, half truthing me. because, it really means it can't assign this password because another account with that username has that same password.

so... making the user's account unique based on their username and password isn't the best choice.

however, i understand that this was probably a workaround for the webmail. although i do think there is a way to have the webmail know which domain it's being accessed through and relate that username to the domain.

so kids, the moral of the story is that if you get the "easy password" error and you know the password isn't "easy", then you just scored yourself a "cracked" account! woo hoo!!
 
Confirmed. Wonderful.

Really points out the need for passwords that are not easy to guess.

John
 
Originally posted by serial-thrilla
so... making the user's account unique based on their username and password isn't the best choice.

however, i understand that this was probably a workaround for the webmail.
Click to expand...

Nope, this is workaround for "short names authentication" POP3/IMAP: you login by username/password and the only way for Plesk do determine what username and domain you mean is to make sure username/password pair is unique among one server.
 
There's a very simple solution to this which has been with us since around Plesk 6 time. In the Plesk > Server > Mail section change the authentication method to use the full email address as username. In reality, if you do get told the password is too easy your password is definately too simple as 2 users on 1 server with the same password is not likely to happen if you use sensible passwords.
 
Originally posted by Cranky
In reality, if you do get told the password is too easy your password is definately too simple as 2 users on 1 server with the same password is not likely to happen if you use sensible passwords.
Click to expand...

Yet it might be same person on different hosts. Yeah, I know that using 'short' usernames in login to POP3/IMAP won't be possible in this case. I've got couple of bugs migrating users from Ensim and RaQ where they did have same mailnames and same passwords on different vhosts.
 
Originally posted by dm__
Yet it might be same person on different hosts. Yeah, I know that using 'short' usernames in login to POP3/IMAP won't be possible in this case. I've got couple of bugs migrating users from Ensim and RaQ where they did have same mailnames and same passwords on different vhosts.
Click to expand...

My comment about the same user/pass happening twice on a server was aimed more at the "plesk security flaw" title of this thread in that it is far from a flaw as it's very unlikely to happen unless it's 1 user setting up 2 accounts or your user has a far-too-simple password.

I can see where migrating from different platforms may have problems in this case.
 
of course it's a security flaw because it's an indirect way of checking someone else's password, but by all means it's not meant to be something to be scared about, haha.

well, that is until someone takes this or some part of it to the next level... *dun dun dunnnn*
 
And as Cranky stated, something completely in the administrators hands to configure. If you dont like it, you can turn it off.

But hey If you want to label this as a security flaw then its vastly outdistanced by orders of magnitude when compared allowing your users to use cgi-bin or frontpage.
 
I would appreciate it if you would refrain from personal attacks in the forums. Lets keep the conversation adult here please
 
Originally posted by serial-thrilla
lol... atomicturtle, you're retarded.
Click to expand...

Retarded? Yet still the most respected member of the forums.
 
You must log in or register to reply here.

Similar threads

P
Question Connecting a second domain
Replies
2
Views
635
pleskatarian
P
D
Resolved Need to find password for SSH Terminal use - the one I wrote down years ago isn't working
Replies
5
Views
2K
Kaspar
K
K
Resolved This is taking way too long?
Replies
2
Views
729
kek
K
J
Question Please Help - Email server queries
Replies
5
Views
843
Kaspar@Plesk
Kaspar@Plesk
Tim Clarke
Issue Problems with recidive jail
Replies
3
Views
626
La Linea
L
Back
Top