N
Nayabk
Guest
Hello Folks,
We just discovered a security flaw in Plesk and Sitebuilder. This needs to be addressed immediately as it can impact a lot of your customers including us.
Please install Fiddler or some other HTTP/HTTPS debugging proxy to see the problem.
Repro Steps:
Create a Reseller account in Plesk (lets say 'reseller1')
For this reseller create a new customer account (domain admin). Lets call him 'customer1'
Either go to a new machine or on this machine clear browser cookies, history etc. and log in as 'customer1' in Plesk.
Enable Fiddler to look at the browser traffic.
In Plesk go to 'SiteBuilder Wizard" for this customer.
In Fiddler look for a call to ExternalLogin.ashx. Look under Session Inspector->WebForms and you'll see the form's Post data including Login and Password. The login & password will be that of reseller1 and NOT customer1.
Folks, you've to take care of this immediately. You're exposing all reseller's passwords to their customers.
We just discovered a security flaw in Plesk and Sitebuilder. This needs to be addressed immediately as it can impact a lot of your customers including us.
Please install Fiddler or some other HTTP/HTTPS debugging proxy to see the problem.
Repro Steps:
Create a Reseller account in Plesk (lets say 'reseller1')
For this reseller create a new customer account (domain admin). Lets call him 'customer1'
Either go to a new machine or on this machine clear browser cookies, history etc. and log in as 'customer1' in Plesk.
Enable Fiddler to look at the browser traffic.
In Plesk go to 'SiteBuilder Wizard" for this customer.
In Fiddler look for a call to ExternalLogin.ashx. Look under Session Inspector->WebForms and you'll see the form's Post data including Login and Password. The login & password will be that of reseller1 and NOT customer1.
Folks, you've to take care of this immediately. You're exposing all reseller's passwords to their customers.