User is able take down a Microsoft SQL server.
Plesk grants the
db_backupoperator permission to MSSQL database users created from the Plesk interface. This permission allows the user to back up databases.
The backups are done in the context of MSSQLserver. Although user can only backup only his own database, if user does backup multiple times user is able to fill the whole hard disk, and MSSQLserver will stop (if the backup directory is located not on a separate drive).
For example, user can connect to MS SQL server and execute the following query multiple times:
MYSQL_WIN: BACKUP DATABASE [mydatabase] TO DISK = N'C:\Microsoft SQL Server\MSSQL13.HOSTING\MSSQL\Backup\growing.bak' WITH NOFORMAT, NOINIT, NAME = N'spacefiller', NOSKIP, REWIND, NOUNLOAD, STATS = 10
A bug with ID PPPM-7512 which will be fixed in next product updates.
As a workaround disable remote connections in MS SQL server settings or adjust firewall to disable remote connections in MS SQL server.