[BUG] Application users permissions are reset to default after migration

Follow

Comments

8 comments

  • Avatar
    Marc (Edited )

    Hi, it is not the same issue but we have found another Bug, witch could be major!

    we use Obsidian 18.0.24 on 5 physical Servers.
    We hosted around 40 domains per server.
    We set up another own server for one customer and migrated his web presence from one of the other servers.
    Yesterday a customer logged in on the wrong server, on which his presence is not hosted.
    He could log in with the user role "Domain Administrator" and see all Domains that are hosted on this server!
    When searching for the problem, I found that all users from the other Server were migrated! But we migrated a SINGLE website only!

    Then, obviously this Users have access to the server, although the domains (subscriptions) are not stored there! They can see and administrate all hosted Domains, change configurations, even though they only have access to their own domain, which is not even hosted there!

    It looks as if Obsidian grants access to all domains if a login via user roles exists, but the assigned domain cannot be found on the Server.

    Very bad issue! 

    0
    Comment actions Permalink
  • Avatar
    Maxim Krasikov

    Hi @Marc, 

    Could you contact Plesk support directly using the link below? We would like to deeply investigate the described issue.
    https://support.plesk.com/hc/en-us/requests/new

     

    0
    Comment actions Permalink
  • Avatar
    Marc

    Hi, it does'nt work for me. Our Licence is over my Housing-Company (Strato), so the Key will not accepted for sending the Ticket.

    Be so kind and deligate my Message during internal mail for fixing, probably it could be important for Plesk to fix it very soon!
    For further Correspondence you can use my Email-Contact.

    0
    Comment actions Permalink
  • Avatar
    Ekaterina Babenko

    Hello Marc,

    All communication with support is performed using Support Portal only.
    To check the issue further you can either contact Strato or get support subscription to submit request to Plesk Support:
    https://support.plesk.com/hc/en-us/articles/213953025-How-to-get-support-directly-from-Plesk-

    Subscription has a free trial period for 1 month.

    0
    Comment actions Permalink
  • Avatar
    Marc

    I just want to let you know about this Bug. Strato will do nothing to this issue, because we use root-servers (not managed).

    My 30 Day free support expired and i don't want to Pay for submitting a Bug.
    If you know about this issue, you have to delete all wrong users after Migration - thats it - but you have to know about this issue. Otherwise a Domain-Administrator-Role can do things, for what he has no access!

    It is a security-issue, so plesk should fix it immediately

    0
    Comment actions Permalink
  • Avatar
    Ekaterina Babenko

    Hello Marc,
    Thank you for sharing this with us.

    Such issue requires deep investigation,
    If submitting request is not an option you can drop a post about this on our forum providing exact steps on how to reproduce the issue: 
    https://talk.plesk.com/

    0
    Comment actions Permalink
  • Avatar
    Marc

    it was the FIRST thing, what i've had done,

    https://talk.plesk.com/threads/user-role-security-issue-in-obsidian.355702/

    but it seems to be not very intersting...soi i thought, i try this way.

    0
    Comment actions Permalink
  • Avatar
    Alisa Kasyanova

    @Marc
    I have passed the information to the development team. We will contact you in case any additional information is required, and will let you know the results of the investigation.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request