From: Felix Buenemann <Felix.Buenemann@gmx.de>
Date: 2008/8/31
Subject: Plesk 8.6.0 authentication flaw allows to gain virtual user priviledges
To:
bugtraq@securityfocus.com
[...]
I have discovered severe security flaws in Plesk 8.6.0 regarding the SHORTNAMES=1 feature for E-Mail logins, that could easily lead to compromised accounts and spam relaying.
The bugs could be reproduced on an existing Plesk 8.6.0 system with data migrated from older Plesk Versions and originall from Confixx aswell as on a fresh test install of Plesk 8.6.0 both on OpenSUSE 10.3 x86_64 and using psa autoinstaller.
(1) If SHORTNAMES=1 is active for smtp_psa or smtps_psa in xinetd, QMAIL will accept ANY correctly base64 encoded username which begins with a valid shortname or equals a valid password during AUTH LOGIN authentication. This is only fixed by completely removing SHORTNAMES=1 from smtp(s)_psa, simply setting it to 0 has no effect.
[...]
The same Problem exists with Courier IMAP, checked over POP3 using cleartext USER / PASS and AUTH LOGIN authentication, SHORTNAMES=1 inside /etc/courier-imap/pop3d:
[...]
