• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

[quote] Plesk will expose plain passwords [endquote] microupdate 47

Linulex

Linulex

Silver Pleskian
Did no one found this disturbing?

http://download1.parallels.com/Ples...-11-linux-updates-release-notes.html#1109MU47

MicroUpdate 47 reads:

Behaviour of Event Handlers is changed. Since this microupdate Plesk will expose plain passwords for event handlers independent on security mode.
[end quote]

Is this documented on how to do this? i would like to program a page for my clients where they can view there passwords in plesk. I know its unsafe, but it safes us a lot of helpdesk calls if customers can look up there own "lost" mail password. This update compromises security anyway so it doesn't matter anymore if an authenticated logged in customer can access his own passwords for reference purposes.

But my main concern is:

If the event handlers have a way to expose the passwords. What is a hacker that roots my server stopping from finding that method and stealing my passwords!!!!????? He doesn't even has to root it, a flaw in plesk itself is enough. And don't tell me this is impossible, we all know what happened last year.

regards
Jan
Click to expand...
 
Last edited:
Hello Jan,
There is a misleading feature description in the release notes, we will fix it as soon as possible. Corrected feature behaviour is described in the PP 11.0.9 MU#47 release KB article: http://kb.parallels.com/115976
Code: 
[+] Behaviour of Event Handlers is changed. Since this microupdate Plesk will expose NEW_PASSWORD variable plain passwords for event handlers independent on security mode for mail accounts.
About you concern:
What is a hacker that roots my server stopping from finding that method and stealing my passwords!!!!?????
Click to expand...
Hackers will not be able to decrypt your passwords using this feature because only NEW_PASSWORD variable is passed exposed for only one action - "Mail account updated". OLD_PASSWORD variable is passed encrypted as usual.
And don't tell me this is impossible
Click to expand...
Moreover the Event Handlers functionality is available for admin only. So until your admin access is safe it's only your decision to use the functionality or not.
 
You must log in or register to reply here.

Similar threads

M
Question WP-Toolkit: Show passwords in plain text
Replies
1
Views
904
m-schmale
M
A
Let’s talk about the Plesk Docker Extension
Replies
0
Views
3K
Alexander Yamshanov
A
G
Plesk 10.1.1#14 -> 10.2.0 upgrade issues
Replies
0
Views
2K
GeertL
G
EduardoG
Plesk won't start after MU#2 Micro-Update
Replies
1
Views
2K
EduardoG
EduardoG
R
suexec = serious security concerns
Replies
1
Views
5K
RayMorris
R
Back
Top