Issue Restrictive administrator can see everything

[netbuild]

Server operating system version

AlmaLinux release 8.9 (Midnight Oncilla)

Plesk version and microupdate number

18.0.61 #5

Hello,

I can't say exactly when it happened, but since one of the last updates the restrictive administrator can see and also change all menu items in Tools and Settings. This is a major security vulnerability and should be fixed as soon as possible.

Furthermore there is a problem with the 2FA authentication. An administrator cannot deactivate 2FA for another administrator if he has lost the authenticator.

Can anyone confirm this?

It's really annoying, but Plesk is now mutating into an advertising platform and patches more bugs in than out.

 

[Kaspar@Plesk]

I can't say exactly when it happened, but since one of the last updates the restrictive administrator can see and also change all menu items in Tools and Settings. This is a major security vulnerability and should be fixed as soon as possible.

That strange. Is restricted mode still enabled on the profile of these additional administrator(s)?

Furthermore there is a problem with the 2FA authentication. An administrator cannot deactivate 2FA for another administrator if he has lost the authenticator.

That correct. 2FA is can only ben enabled or disabled for all users.

 

[Yaroslav_T]

I can't say exactly when it happened, but since one of the last updates the restrictive administrator can see and also change all menu items in Tools and Settings. This is a major security vulnerability and should be fixed as soon as possible.

I've just tested this behavior on my old Plesk 18.0.57.5 and the latest 18.0.62 and the behavior and/or items in Restricted mode is still the same. So the issue appears to be to the specific settings for a specific additional admin or the settings of the Restricted Mode

 

[netbuild]

Sorry, I was unable to reply sooner. Here are 2 screenshots that confirm the behavior.

I have now tested it randomly on 10 systems and the behavior is the same everywhere. Despite the restrictive mode, the additional administrator sees all menu items in the settings menu and can also call them up and make changes.

 

[netbuild]

I've just tested this behavior on my old Plesk 18.0.57.5 and the latest 18.0.62 and the behavior and/or items in Restricted mode is still the same. So the issue appears to be to the specific settings for a specific additional admin or the settings of the Restricted Mode

This is not the case, as you can see in the screen hosts. In addition, the restrictive mode worked and nobody made any changes.

The customer himself had only activated 2FA authentication and because he didn't write down the code correctly and therefore asked for help, I noticed it first. Nobody had changed anything or adjusted any settings beforehand. I have already deleted and recreated the user several times, but this does not change the situation. I even had to delete it because you can't revoke 2FA authentication for a user.

Perhaps the error is also related to the activation of the 2FA setting, but since I cannot deactivate it for individual users, I cannot check it.

 

[netbuild]

That correct. 2FA is can only ben enabled or disabled for all users.

It is fundamentally nonsensical that you cannot reset the 2FA settings for an individual user. What should the user do if he has lost the backup codes and his cell phone? Delete everything and create a new one?

 

[Kaspar@Plesk]

Thank you for posting the screenshots. I tried to replicate the issue, but no matter what I try, the additional admin user always has restricted access when 'Restricted Mode' is enabled for the user. Even when MFA is enabled for the additional admin user. This that the steps I took to test this on an Alma 8 Plesk server:

1) Installed and enabled the MFA extension for Admin user
2) Created an additional admin user and enabled 'Restricted Mode'
3) Logged in to Plesk as the additional admin user
Restricted Mode was active
4) Enabled MFA for additional admin user
5) Logged out of Plesk and logged back in as additional admin user (now with MFA)
Restricted Mode was still active

Are these steps similar to yours?

One thing you can try is disable 'Restricted Mode' on the additional admin user and than enable it again. Does that fixes the issue?

It is fundamentally nonsensical that you cannot reset the 2FA settings for an individual user. What should the user do if he has lost the backup codes and his cell phone? Delete everything and create a new one?

The current options are:
1) Deleted and recreate the user account
2) Re-install the MFA extension

 

[Kaspar@Plesk]

It is fundamentally nonsensical that you cannot reset the 2FA settings for an individual user. What should the user do if he has lost the backup codes and his cell phone? Delete everything and create a new one?

After discussing this internally we acknowledge this isn't optimal and have created a user-story internally to improve the extension in the future. Thank you for bringing this to our attention (For our own internal reference user-story has ID EXTPLESK-5673).

I've found another workaround to disable MFA for a specific additional admin user. You first need to get and write down the ID of the additional admin user for which you want the disabled MFA. Which you can get from the URL when you navigate to Tools & Settings > Additional Administrator Accounts and click on the additional admin user. You can get the ID at the end of the URL in your browser (shown in the image below as an example).


Afterwards you can run the following command via command line. Replace <ID> with the actual ID number from the additional admin user.

plesk db "UPDATE ModuleSettings SET value = 'false' WHERE name = 'enabled-adminAlias-<ID>'"

 

[netbuild]

Thank you for posting the screenshots. I tried to replicate the issue, but no matter what I try, the additional admin user always has restricted access when 'Restricted Mode' is enabled for the user. Even when MFA is enabled for the additional admin user. This that the steps I took to test this on an Alma 8 Plesk server:

1) Installed and enabled the MFA extension for Admin user
2) Created an additional admin user and enabled 'Restricted Mode'
3) Logged in to Plesk as the additional admin user
Restricted Mode was active
4) Enabled MFA for additional admin user
5) Logged out of Plesk and logged back in as additional admin user (now with MFA)
Restricted Mode was still active

Hello,

unfortunately not. I have not even installed 2FA for the admin user, but only the restrictive admin user has set up 2FA himself. It doesn't matter whether I delete the restrictive administrator and create a new one - he still has full administrative access.

I would suggest that Plesk support perhaps take a closer look at the servers

 

[netbuild]

After discussing this internally we acknowledge this isn't optimal and have created a user-story internally to improve the extension in the future. Thank you for bringing this to our attention (For our own internal reference user-story has ID EXTPLESK-5673).

I've found another workaround to disable MFA for a specific additional admin user. You first need to get and write down the ID of the additional admin user for which you want the disabled MFA. Which you can get from the URL when you navigate to Tools & Settings > Additional Administrator Accounts and click on the additional admin user. You can get the ID at the end of the URL in your browser (shown in the image below as an example).
View attachment 26632

Afterwards you can run the following command via command line. Replace <ID> with the actual ID number from the additional admin user.

plesk db "UPDATE ModuleSettings SET value = 'false' WHERE name = 'enabled-adminAlias-<ID>'"

Thank you, at least my employees can use it to deactivate 2FA for customers if they have locked themselves out. So that's a workaround that helps.

 

[Kaspar@Plesk]

Hello,

unfortunately not. I have not even installed 2FA for the admin user, but only the restrictive admin user has set up 2FA himself. It doesn't matter whether I delete the restrictive administrator and create a new one - he still has full administrative access.

I would suggest that Plesk support perhaps take a closer look at the servers

That's probably best. You can sign-in via https://support.plesk.com/hc/en-us to open a support ticket to let support engineers investigate the issue on your server.

Support is includes if you bought your license directly from Plesk. If you got your license from a reseller, your reseller should provide support for you. If the reseller does not provide support, here is an alternative to get support directly from Plesk: https://support.plesk.com/hc/en-us/articles/12388090147095-How-to-get-support-directly-from-Plesk

 

[netbuild]

That's probably best. You can sign-in via https://support.plesk.com/hc/en-us to open a support ticket to let support engineers investigate the issue on your server.

Support is includes if you bought your license directly from Plesk. If you got your license from a reseller, your reseller should provide support for you. If the reseller does not provide support, here is an alternative to get support directly from Plesk: https://support.plesk.com/hc/en-us/articles/12388090147095-How-to-get-support-directly-from-Plesk

Thank you,

we obtain the licences through you. I will then tell my employees that they should submit the relevant errors (there are still a few) via Ticket.