• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • Our UX team believes in the in the power of direct feedback and would like to invite you to participate in interviews, tests, and surveys.
    To stay in the loop and never miss an opportunity to share your thoughts, please subscribe to our UX research program. If you were previously part of the Plesk UX research program, please re-subscribe to continue receiving our invitations.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Resolved SECURITY ISSUE - Plesk 12.5.30

T

Tozz

Regular Pleskian
There is an information disclosure security issue in 12.5.30.

How to reproduce:

- Create a new reseller account
- Logout from user Admin, and login as the newly created reseller.
- Create a customer under the reseller account together with a subscription for that user.
- Click on Customers (left menu) and select "Log in as customer" right to the new customer.
- Click on the Back button on your browser. (Not the back button on the webpage)

Result: You will now see _all_ customers on the server, not just the onces in your reseller account. Also, the Top bar will show "Back to Administrator" seeming to indicate you just received some kind of Administrator credentials.

Please fix this ASAP, as this bug discloses all domain information and usernames.
 
Just a thought, but this sounds a lot like it could be a client-side caching issue, such that it would only occur if you were previously logged in as an admin (meaning only someone with admin privileges could encounter that issue).

Any chance you can reproduce this after clearing a cache and *not* logging in as admin first? For example, create the reseller account, then log out and clear your cache. Proceed with the login to the reseller account.
 
Bugreport PPP-17795 has been submitted. Fix is expected in the nearest update on Monday.
 
Confirmed.

No need to have been admin before.


I logged into this reseller account in incognito mode and also in another browser (Opera) I have never used with Plesk before.
The entire list is shown when pressing back.
 
Glad this is confirmed. This is indeed not a cache issue. The issue was reported by one of our customers, that doesn't have admin credentials.

Issue is resolved in : 12.5.30 Update 6 [12 October 2015]
 
You must log in or register to reply here.

Similar threads

M
Resolved Plesk Email Security Pro: No access to individual Blacklist/Whitelist/Filter sensitivity - Button is Missing since
Replies
2
Views
704
mcac
M
M
Issue with Connection Info slider preventing saving of system user credentials
Replies
5
Views
1K
Peter Debik
P
P
.NET Core Toolkit Environment Variables get lost
Replies
5
Views
5K
Kaspar@Plesk
Kaspar@Plesk
RPA
Input Automate PLESK with this free RPA Extension
Replies
2
Views
1K
RPA
RPA
T
Plesk Email Security (PES); email user logs into Plesk, PES page : access denied
Replies
8
Views
2K
TomBoB
T
Back
Top