1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Security issue: Reseller account pwd is exposed to customers

Discussion in 'Sitebuilder 4.1 for Windows' started by Nayabk, Jan 27, 2008.

  1. Nayabk

    Nayabk Guest

    Hello Folks,
    We just discovered a security flaw in Plesk and Sitebuilder. This needs to be addressed immediately as it can impact a lot of your customers including us.

    Please install Fiddler or some other HTTP/HTTPS debugging proxy to see the problem.

    Repro Steps:
    Create a Reseller account in Plesk (lets say 'reseller1')
    For this reseller create a new customer account (domain admin). Lets call him 'customer1'

    Either go to a new machine or on this machine clear browser cookies, history etc. and log in as 'customer1' in Plesk.
    Enable Fiddler to look at the browser traffic.
    In Plesk go to 'SiteBuilder Wizard" for this customer.
    In Fiddler look for a call to ExternalLogin.ashx. Look under Session Inspector->WebForms and you'll see the form's Post data including Login and Password. The login & password will be that of reseller1 and NOT customer1.

    Folks, you've to take care of this immediately. You're exposing all reseller's passwords to their customers.
  2. Sinclair

    Sinclair Guest

    We could not reproduce this so far. Plesk uses the login of the exact user logged in now.
    Could you please let us know the exact Plesk build number?