14 DAY TRIAL // Website administrators using the Parallels Plesk Panel, a web-hosting tool, should be very careful when thinking about activating the shortname authentication feature for all web services. If turned on, attackers could gain access to all shortname authenticated processes, including the SMTP server and use it to relay spam for their own attacks.
This vulnerability was disclosed by Felix Buenemann on a security-related mailing list, and was reproduced by the SecurityReason website. Mr. Buenemann had tried in many attempts to inform the Parallels technical department of this problem, but several mail filters kept bouncing his emails on all support addresses.
Even so, the company formerly known as SWSoft, now rebranded as Parallels, is not to blamed entirely for this vulnerability, since the web hosting automation panel, Plesk, is shipped with the buggy feature turned off. It seems, according to Mr. Buenemann's research, that a website admin has to manually activate the shortname authentication service from their panel.
The shortname service allows authentication for all Plesk-governed services with the email shortname (the characters before the @ sign), and not with the entire email address. Felix Buenemann has revealed that activating this feature and supplying it with a base64 encoded string will automatically grant access to the entire system. Also, account credentials can be switched around, and use a fake username with a real password, or use a real password as a username. This has happened on UNIX platforms running the Plesk 8.6.0 release.
Plesk, one of the most used web-hosting automation panels, has been seeing a lot of usage alongside its competitor, C-Panel. Hackers could actively take advantage of this exploit and compromise accounts or perform unauthorized or illicit acts from one of the accounts.
The entire report from Mr. Buenemann can be found updated here. Until Parallels is informed on this bug, and security patches are issued, administrators should avoid using shortname authentication on their back-end hosting panels.