• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved SECURITY ISSUE - Plesk 12.5.30

T

Tozz

Regular Pleskian
There is an information disclosure security issue in 12.5.30.

How to reproduce:

- Create a new reseller account
- Logout from user Admin, and login as the newly created reseller.
- Create a customer under the reseller account together with a subscription for that user.
- Click on Customers (left menu) and select "Log in as customer" right to the new customer.
- Click on the Back button on your browser. (Not the back button on the webpage)

Result: You will now see _all_ customers on the server, not just the onces in your reseller account. Also, the Top bar will show "Back to Administrator" seeming to indicate you just received some kind of Administrator credentials.

Please fix this ASAP, as this bug discloses all domain information and usernames.
 
Just a thought, but this sounds a lot like it could be a client-side caching issue, such that it would only occur if you were previously logged in as an admin (meaning only someone with admin privileges could encounter that issue).

Any chance you can reproduce this after clearing a cache and *not* logging in as admin first? For example, create the reseller account, then log out and clear your cache. Proceed with the login to the reseller account.
 
Bugreport PPP-17795 has been submitted. Fix is expected in the nearest update on Monday.
 
Confirmed.

No need to have been admin before.


I logged into this reseller account in incognito mode and also in another browser (Opera) I have never used with Plesk before.
The entire list is shown when pressing back.
 
Glad this is confirmed. This is indeed not a cache issue. The issue was reported by one of our customers, that doesn't have admin credentials.

Issue is resolved in : 12.5.30 Update 6 [12 October 2015]
 
You must log in or register to reply here.

Similar threads

M
Resolved Plesk Email Security Pro: No access to individual Blacklist/Whitelist/Filter sensitivity - Button is Missing since
Replies
2
Views
781
mcac
M
M
Issue with Connection Info slider preventing saving of system user credentials
Replies
5
Views
1K
Peter Debik
P
P
.NET Core Toolkit Environment Variables get lost
Replies
5
Views
5K
Kaspar@Plesk
Kaspar@Plesk
RPA
Input Automate PLESK with this free RPA Extension
Replies
2
Views
2K
RPA
RPA
T
Plesk Email Security (PES); email user logs into Plesk, PES page : access denied
Replies
8
Views
2K
TomBoB
T
Back
Top