Parallels Plesk Panel Vulnerable to Spam Relay

Administrators of the Parallels Plesk Panel, a web-hosting tool, need to be utterly careful while considering to activate the shortname authentication feature for all the web services. In case it is activated, it could provide cyber crooks access to all the shortname authenticated processes, like the Simple Mail Transfer Protocol (SMTP) server, thereby using it for relaying spam as per their will.

According to security experts, spam relay is referred to sending e-mails to a particular destination by means of a proxy server or a third-party mail server so as to conceal the address of the e-mail source. When SMTP servers are used, then it is called "SMTP relay" or "open relay". This was the method that was most commonly used by spammers in the past. At present, most of the spam is distributed by means of proxy servers and botnets, told the security experts.

The vulnerability in the tool, which can lead to spam relay, was detected by Felix Buenemann on a security-related mailing list, and was verified by the SecurityReason website, reported softpedia.com on August 22, 2009.

Buenemann had made several attempts to inform the technical department of the Parallels about the problem with the Plesk Panel, but his e-mails kept bouncing by many mail filters on all support addresses.

Though, the Parallels is not to be completely held responsible for the vulnerability as the Plesk Panel is sold with the feature turned off. As per the research by Buenemann, it appears that administrator of a website has to activate the shortname authentication service manually from their panel.

The shortname service enables authentication for all Plesk-controlled services having e-mail shortname, that is the characters before the @ sign, rather than the entire e-mail address. Felix Buenemann stated that on activating the feature and supplying it with a base64 encoded string, access to the entire system will automatically be granted. Moreover, account credentials could be swapped around, and use a bogus username with an authentic password, or use a real password as a username. This has happened with the UNIX platforms running the Plesk 8.6.0 release.

Hackers could easily take advantage of this vulnerability and compromise accounts or perform unauthorized or illegal activities through one of the compromised accounts.

» SPAMfighter News - 9/11/2009