Plesk FTP Subaccounts

[Krydos]

A HelioHost user noticed, and reported to us that there was a minor SFTP vulnerability on our Plesk servers. We have confirmed the report, and have taken action to prevent it in the future.

The main account's SFTP access was correctly chrooted to the home directory so when you connect to SFTP the only directories and files you can see are your own and you can't see the rest of the server. However, if you created an additional SFTP subaccount it was not correctly chrooted which would allow limited read-only access to portions of the filesystem.

It looks like the only information people who used the vulnerability would have had access to is usernames and main domains of everyone on the same server as them, so not a huge deal, but it's best if they don't have access to even that. They were not able to see any directory names, filenames, passwords, emails, or access any files within your account.

In order to prevent this vulnerability we have disabled the ability to create additional SFTP subaccounts, and deleted all of the existing subaccounts on the server. It looks like most of the subaccounts that were deleted were simply trash that was transferred over from cPanel, but a few users may have intentionally created SFTP subaccounts.

If you intentionally created an SFTP subaccount and have discovered that it has been deleted you can either switch to using your main account for SFTP, or if you absolutely can't use your main username for some reason an additional subaccount can be created for you by an admin so that it will be properly chrooted. Thanks to the user who reported this to us, and thanks to everyone for understanding that we have to disable this feature to keep your account secure. Hopefully Plesk will fix their software at some point so we can re-enable it.