Resolved SECURITY ISSUE - Plesk 12.5.30

[Tozz]

There is an information disclosure security issue in 12.5.30.

How to reproduce:

- Create a new reseller account
- Logout from user Admin, and login as the newly created reseller.
- Create a customer under the reseller account together with a subscription for that user.
- Click on Customers (left menu) and select "Log in as customer" right to the new customer.
- Click on the Back button on your browser. (Not the back button on the webpage)

Result: You will now see _all_ customers on the server, not just the onces in your reseller account. Also, the Top bar will show "Back to Administrator" seeming to indicate you just received some kind of Administrator credentials.

Please fix this ASAP, as this bug discloses all domain information and usernames.

 

[websavers]

Just a thought, but this sounds a lot like it could be a client-side caching issue, such that it would only occur if you were previously logged in as an admin (meaning only someone with admin privileges could encounter that issue).

Any chance you can reproduce this after clearing a cache and *not* logging in as admin first? For example, create the reseller account, then log out and clear your cache. Proceed with the login to the reseller account.

 

[IgorG]

Bugreport PPP-17795 has been submitted. Fix is expected in the nearest update on Monday.

 

[StéphanS]

Confirmed.

No need to have been admin before.


I logged into this reseller account in incognito mode and also in another browser (Opera) I have never used with Plesk before.
The entire list is shown when pressing back.

 

[Tozz]

Glad this is confirmed. This is indeed not a cache issue. The issue was reported by one of our customers, that doesn't have admin credentials.

Issue is resolved in : 12.5.30 Update 6 [12 October 2015]