• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

[quote] Plesk will expose plain passwords [endquote] microupdate 47

Linulex

Linulex

Silver Pleskian
Did no one found this disturbing?

http://download1.parallels.com/Ples...-11-linux-updates-release-notes.html#1109MU47

MicroUpdate 47 reads:

Behaviour of Event Handlers is changed. Since this microupdate Plesk will expose plain passwords for event handlers independent on security mode.
[end quote]

Is this documented on how to do this? i would like to program a page for my clients where they can view there passwords in plesk. I know its unsafe, but it safes us a lot of helpdesk calls if customers can look up there own "lost" mail password. This update compromises security anyway so it doesn't matter anymore if an authenticated logged in customer can access his own passwords for reference purposes.

But my main concern is:

If the event handlers have a way to expose the passwords. What is a hacker that roots my server stopping from finding that method and stealing my passwords!!!!????? He doesn't even has to root it, a flaw in plesk itself is enough. And don't tell me this is impossible, we all know what happened last year.

regards
Jan
Click to expand...
 
Last edited:
Hello Jan,
There is a misleading feature description in the release notes, we will fix it as soon as possible. Corrected feature behaviour is described in the PP 11.0.9 MU#47 release KB article: http://kb.parallels.com/115976
Code: 
[+] Behaviour of Event Handlers is changed. Since this microupdate Plesk will expose NEW_PASSWORD variable plain passwords for event handlers independent on security mode for mail accounts.
About you concern:
What is a hacker that roots my server stopping from finding that method and stealing my passwords!!!!?????
Click to expand...
Hackers will not be able to decrypt your passwords using this feature because only NEW_PASSWORD variable is passed exposed for only one action - "Mail account updated". OLD_PASSWORD variable is passed encrypted as usual.
And don't tell me this is impossible
Click to expand...
Moreover the Event Handlers functionality is available for admin only. So until your admin access is safe it's only your decision to use the functionality or not.
 
You must log in or register to reply here.

Similar threads

M
Question WP-Toolkit: Show passwords in plain text
Replies
1
Views
1K
m-schmale
M
K
Resolved no incoming mail
Replies
6
Views
2K
Martin Dias
Martin Dias
Tim_Wakeling
Issue After changing root password and Plesk admin passwords, migration fails
Replies
7
Views
2K
SWGfL Web Team
SWGfL Web Team
K
Question Error message during Plesk Updates “Warning: install PAM module not successed” (PAMConfig.confset.PAMServiceError: system-auth)
Replies
2
Views
2K
johnrdorazio
J
falconsi
Resolved IONOS NOT ACCEPTING INCOMING MAIL FROM PLESK - 554 BAD DNS PTR RESOURCE RECORD
Replies
6
Views
6K
falconsi
falconsi
Back
Top