• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

[quote] Plesk will expose plain passwords [endquote] microupdate 47

Linulex

Linulex

Silver Pleskian
Did no one found this disturbing?

http://download1.parallels.com/Ples...-11-linux-updates-release-notes.html#1109MU47

MicroUpdate 47 reads:

Behaviour of Event Handlers is changed. Since this microupdate Plesk will expose plain passwords for event handlers independent on security mode.
[end quote]

Is this documented on how to do this? i would like to program a page for my clients where they can view there passwords in plesk. I know its unsafe, but it safes us a lot of helpdesk calls if customers can look up there own "lost" mail password. This update compromises security anyway so it doesn't matter anymore if an authenticated logged in customer can access his own passwords for reference purposes.

But my main concern is:

If the event handlers have a way to expose the passwords. What is a hacker that roots my server stopping from finding that method and stealing my passwords!!!!????? He doesn't even has to root it, a flaw in plesk itself is enough. And don't tell me this is impossible, we all know what happened last year.

regards
Jan
Click to expand...
 
Last edited:
Hello Jan,
There is a misleading feature description in the release notes, we will fix it as soon as possible. Corrected feature behaviour is described in the PP 11.0.9 MU#47 release KB article: http://kb.parallels.com/115976
Code: 
[+] Behaviour of Event Handlers is changed. Since this microupdate Plesk will expose NEW_PASSWORD variable plain passwords for event handlers independent on security mode for mail accounts.
About you concern:
What is a hacker that roots my server stopping from finding that method and stealing my passwords!!!!?????
Click to expand...
Hackers will not be able to decrypt your passwords using this feature because only NEW_PASSWORD variable is passed exposed for only one action - "Mail account updated". OLD_PASSWORD variable is passed encrypted as usual.
And don't tell me this is impossible
Click to expand...
Moreover the Event Handlers functionality is available for admin only. So until your admin access is safe it's only your decision to use the functionality or not.
 
You must log in or register to reply here.

Similar threads

M
Question WP-Toolkit: Show passwords in plain text
Replies
1
Views
1K
m-schmale
M
A
Let’s talk about the Plesk Docker Extension
Replies
0
Views
3K
Alexander Yamshanov
A
G
Plesk 10.1.1#14 -> 10.2.0 upgrade issues
Replies
0
Views
3K
GeertL
G
EduardoG
Plesk won't start after MU#2 Micro-Update
Replies
1
Views
2K
EduardoG
EduardoG
R
suexec = serious security concerns
Replies
1
Views
5K
RayMorris
R
Back
Top