• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

plesk security flaw

S

serial-thrilla

Guest
so here's a lil something i found:
(accounts passwords have been modified for anonymity)

i have two different domains in plesk, for one a create an email account roger and assign password r1234.

for the second i create an account roger and assign the password r1234.

plesk then claims that this password is too easy and makes me put in a different one.

i put r2345 and it goes through.

i go back to the other domain's roger account and try to change the password to r2345 and plesk gives me the easy password error.

plesk is lying to me!!! ... well ok, half truthing me. because, it really means it can't assign this password because another account with that username has that same password.

so... making the user's account unique based on their username and password isn't the best choice.

however, i understand that this was probably a workaround for the webmail. although i do think there is a way to have the webmail know which domain it's being accessed through and relate that username to the domain.

so kids, the moral of the story is that if you get the "easy password" error and you know the password isn't "easy", then you just scored yourself a "cracked" account! woo hoo!!
 
Confirmed. Wonderful.

Really points out the need for passwords that are not easy to guess.

John
 
Originally posted by serial-thrilla
so... making the user's account unique based on their username and password isn't the best choice.

however, i understand that this was probably a workaround for the webmail.

Nope, this is workaround for "short names authentication" POP3/IMAP: you login by username/password and the only way for Plesk do determine what username and domain you mean is to make sure username/password pair is unique among one server.
 
There's a very simple solution to this which has been with us since around Plesk 6 time. In the Plesk > Server > Mail section change the authentication method to use the full email address as username. In reality, if you do get told the password is too easy your password is definately too simple as 2 users on 1 server with the same password is not likely to happen if you use sensible passwords.
 
Originally posted by Cranky
In reality, if you do get told the password is too easy your password is definately too simple as 2 users on 1 server with the same password is not likely to happen if you use sensible passwords.

Yet it might be same person on different hosts. Yeah, I know that using 'short' usernames in login to POP3/IMAP won't be possible in this case. I've got couple of bugs migrating users from Ensim and RaQ where they did have same mailnames and same passwords on different vhosts.
 
Originally posted by dm__
Yet it might be same person on different hosts. Yeah, I know that using 'short' usernames in login to POP3/IMAP won't be possible in this case. I've got couple of bugs migrating users from Ensim and RaQ where they did have same mailnames and same passwords on different vhosts.

My comment about the same user/pass happening twice on a server was aimed more at the "plesk security flaw" title of this thread in that it is far from a flaw as it's very unlikely to happen unless it's 1 user setting up 2 accounts or your user has a far-too-simple password.

I can see where migrating from different platforms may have problems in this case.
 
of course it's a security flaw because it's an indirect way of checking someone else's password, but by all means it's not meant to be something to be scared about, haha.

well, that is until someone takes this or some part of it to the next level... *dun dun dunnnn*
 
And as Cranky stated, something completely in the administrators hands to configure. If you dont like it, you can turn it off.

But hey If you want to label this as a security flaw then its vastly outdistanced by orders of magnitude when compared allowing your users to use cgi-bin or frontpage.
 
I would appreciate it if you would refrain from personal attacks in the forums. Lets keep the conversation adult here please
 
Originally posted by serial-thrilla
lol... atomicturtle, you're retarded.

Retarded? Yet still the most respected member of the forums.
 
Back
Top