1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

plesk security flaw

Discussion in 'Plesk for Linux - 8.x and Older' started by serial-thrilla, Jul 28, 2005.

  1. serial-thrilla

    serial-thrilla Guest

    0
     
    so here's a lil something i found:
    (accounts passwords have been modified for anonymity)

    i have two different domains in plesk, for one a create an email account roger and assign password r1234.

    for the second i create an account roger and assign the password r1234.

    plesk then claims that this password is too easy and makes me put in a different one.

    i put r2345 and it goes through.

    i go back to the other domain's roger account and try to change the password to r2345 and plesk gives me the easy password error.

    plesk is lying to me!!! ... well ok, half truthing me. because, it really means it can't assign this password because another account with that username has that same password.

    so... making the user's account unique based on their username and password isn't the best choice.

    however, i understand that this was probably a workaround for the webmail. although i do think there is a way to have the webmail know which domain it's being accessed through and relate that username to the domain.

    so kids, the moral of the story is that if you get the "easy password" error and you know the password isn't "easy", then you just scored yourself a "cracked" account! woo hoo!!
     
  2. wjtech

    wjtech Guest

    0
     
    Confirmed. Wonderful.

    Really points out the need for passwords that are not easy to guess.

    John
     
  3. dm__@

    dm__@ Guest

    0
     
    Nope, this is workaround for "short names authentication" POP3/IMAP: you login by username/password and the only way for Plesk do determine what username and domain you mean is to make sure username/password pair is unique among one server.
     
  4. Cranky

    Cranky Guest

    0
     
    There's a very simple solution to this which has been with us since around Plesk 6 time. In the Plesk > Server > Mail section change the authentication method to use the full email address as username. In reality, if you do get told the password is too easy your password is definately too simple as 2 users on 1 server with the same password is not likely to happen if you use sensible passwords.
     
  5. dm__@

    dm__@ Guest

    0
     
    Yet it might be same person on different hosts. Yeah, I know that using 'short' usernames in login to POP3/IMAP won't be possible in this case. I've got couple of bugs migrating users from Ensim and RaQ where they did have same mailnames and same passwords on different vhosts.
     
  6. Cranky

    Cranky Guest

    0
     
    My comment about the same user/pass happening twice on a server was aimed more at the "plesk security flaw" title of this thread in that it is far from a flaw as it's very unlikely to happen unless it's 1 user setting up 2 accounts or your user has a far-too-simple password.

    I can see where migrating from different platforms may have problems in this case.
     
  7. serial-thrilla

    serial-thrilla Guest

    0
     
    of course it's a security flaw because it's an indirect way of checking someone else's password, but by all means it's not meant to be something to be scared about, haha.

    well, that is until someone takes this or some part of it to the next level... *dun dun dunnnn*
     
  8. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    And as Cranky stated, something completely in the administrators hands to configure. If you dont like it, you can turn it off.

    But hey If you want to label this as a security flaw then its vastly outdistanced by orders of magnitude when compared allowing your users to use cgi-bin or frontpage.
     
  9. serial-thrilla

    serial-thrilla Guest

    0
     
    lol... atomicturtle, you're retarded.
     
  10. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    I would appreciate it if you would refrain from personal attacks in the forums. Lets keep the conversation adult here please
     
  11. Cranky

    Cranky Guest

    0
     
    Retarded? Yet still the most respected member of the forums.
     
  12. wjtech

    wjtech Guest

    0
     
    Saved my *** more than once.
     
Loading...