What can be even worse is storing user passwords in plain text.
Brian Kreb was recently shocked when his hosting provider sent him his password in plain text. He wrote a post about it and made a conclusion that it is quite a common practice among hosting providers and that “naming and shaming may be the only way to change” it.
But why do hosting providers save passwords in plain text? Maybe because most of them don’t invent anything and just rely on web hosting automation programs?
Enter Parallels Plesk Panel.
They advertise themselves as “the most widely used hosting control panel solution. With more than 250,000 Windows and Linux servers deployed, Parallels Plesk Panel is the preferred choice for hosting service providers, web designers, and website owners.” They also advertize top-notch security that “protects personal data and websites“.
But what about the Plesk security in real world? Can we call it “top-notch” if I tell you that Plesk stores passwords in plain text?!
Update: Since version 11 Plesk doesn’t store passwords in plain text. Unfortunately, there are still many servers that use older versions of Plesk. You can still find many servers with Plesk 8.x.
Here are the proofs:
“The problem is, that every password is stored as plain text!!! I mean every password including the plesk, mail and ftp/ssh!”
“…And unfortunately all Passwords in Plesk are stored in plain text!! Take a look in database ‘psa’ at table ‘accounts’ (and better sit down before doing that!).”
And in older versions (many servers still use them) they didn’t encrypt Plesk admin passwords either
The password will be displayed in plain text.
But maybe is not such a big issue? After all, with proper permissions, only server admins have access to the passwords and server admins should have full access to every part of servers anyway.
That’s not so simple:
In case of Plesk, there are really such vulnerabilities http://kb.parallels.com/en/113321 and there are attacks in the wild that exploit those vulnerabilities.
February-March 2012: attackers gained admin access to Plesk servers and planted some backdoors. The user database seems be stolen too.
June 2012: hackers use stolen Plesk credentials to inject malicious code into legitimate websites.
Remember, Parallels bragged about 250,000 servers with installed Plesk Panel. That’s many millions of individual websites and millions of user accounts. Sounds like a good target for attacks.
Back to the Brian’s post I mentioned in the beginning — instead of naming and shaming individual hosting companies, we can name and shame software that they use. But if you are concerned about individual hosting providers, you can simply check if they use Plesk.
I have a few questions to my blog readers: