Security issue: Reseller account pwd is exposed to customers

[Nayabk]

Hello Folks,
We just discovered a security flaw in Plesk and Sitebuilder. This needs to be addressed immediately as it can impact a lot of your customers including us.

Please install Fiddler or some other HTTP/HTTPS debugging proxy to see the problem.

Repro Steps:
Create a Reseller account in Plesk (lets say 'reseller1')
For this reseller create a new customer account (domain admin). Lets call him 'customer1'

Either go to a new machine or on this machine clear browser cookies, history etc. and log in as 'customer1' in Plesk.
Enable Fiddler to look at the browser traffic.
In Plesk go to 'SiteBuilder Wizard" for this customer.
In Fiddler look for a call to ExternalLogin.ashx. Look under Session Inspector->WebForms and you'll see the form's Post data including Login and Password. The login & password will be that of reseller1 and NOT customer1.

Folks, you've to take care of this immediately. You're exposing all reseller's passwords to their customers.

Security issue: Reseller account pwd is exposed to customers

 

[sergius]

Hello Nayabk,

Thank you for the report.
We have an idea why so can be but we need access to your problem server to verify it. Could you please send me private message with address and credentials for RDP?

 

[sergius]

Hello Nayabk,

We've look at your server and found interesting things for us. Thank you for the report.
We will fix it as soon as possible.
Now we can suggest you two solutions:

1. You should disable Domain Administrator on each domain where Domain Adminstrator and sitebuilder support are used and enable it again.

2. You should run %plesk_bin%sitebuilder.exe --fix. Please perform backup before.

Any feedback is appreciated.

 

[Nayabk]

Thank you for the quick action. We'll wait for the fix.