An ongoing series of phishing attacks against the Steam gaming community is making effective use of look-alike domains to trick users into surrendering their usernames and passwords. The fraudsters behind these attacks then attempt to bypass Steam’s two-factor authentication with a malicious executable that is deceptively named SteamGuard.exe.
Fraudsters are exploiting loopholes in the presentation of ads by major search engines in order to lure victims to phishing sites. Searching for “blockchain”, the name of a popular Bitcoin wallet provider, caused deceptive ads to be displayed at the top of search results pages from Google, Bing, Yahoo, and DuckDuckGo. In contrast to the […]
Fraudsters are impersonating online banking websites in order to gain unauthorised access to customers’ emails. Most online banking phishing sites simply try to steal whatever credentials are required to gain access to a victim’s bank account, but by also gaining access to the victim’s email account, the fraudster can prevent the victim from receiving any […]
(Mar 26) Samba did not properly enforce the password guessing protection mechanism.
Version 3.7 of WordPress, named “Basie” in honor of Count Basie, is available for download or update in your WordPress dashboard. This release features some of the most important architectural updates we’ve made to date. Here are the big ones: Updates while you sleep: With WordPress 3.7, you don’t have to lift a finger to […]
I’m pleased to announce the availability of WordPress 3.7 Beta 1. For WordPress 3.7 we decided to shorten the development cycle and focus on a few key improvements. We plan to release the final product in October, and then follow it in December with a jam-packed WordPress 3.8 release, which is already in development. Some […]
[*] Now the mail service works on domains suspended through the Panel GUI.
| Before | Now |
| When a user suspended a domain in the Control Panel, the mail service stopped working. Hence, the owners of mail accounts on this domain could not send and receive emails. | When a user suspends a domain in the Control Panel, the mail service keeps working. Additionally, the user has an option to disable the domain. In this case, the mail service will be stopped as well. |
The following issues have been fixed:
[-] Customers were able to select the Mailbox option on the mail account creation page even if they already reached the limit on mailboxes in the corresponding subscription. (126052)
[-] (Linux only) After upgrading from Panel 11.0.9 to Panel 11.5, Panel did not report errors if it failed to convert mail accounts with mixed-case names to lowercase. (139484)
[-] Security improvements. (139537)
[-] (Linux only) Administrators could not restart nginx and PHP-FPM after changing the system user name of the owner of a website that uses PHP-FPM. (140075)
[-] (Linux only) On the transfer pre-check page, Panel did not inform administrators about potential problems that could occur when Mailman was installed on the source server and was not installed on the destination server. (120244)
[-] (Linux only) The plesk utility did not accept arguments in quotes. (140201)
[-] (Linux only) Panel firewall incorrectly blocked most of outgoing connections. (139010, 139011, 139012)
[-] (Linux only) The warning message on the Forgot your password page was unreadable in the Russian locale. (81562)
[-] Event handlers for the event Subdomain of a default domain created did not work if they were configured to run the subdomain utility. (122382)
[-] (Linux only) The help page for the admin command-line utility did not inform administrators that certain options work only in custom view. (139922)
[-] (Windows only) Customers saw the error 0x800710D8 if they had a subscription that contained a large number of domains (more than 200). (110658)
[-] (Windows only) Panel did not update license keys automatically. (92983)
[-] (Windows only) Panel failed to restore mailboxes with passwords that did not meet the server security requirements. (138318)
[-] (Windows only) The web_statistics_executor.exe utility did not generate statistics for individual domains. (140166)
(May 23) The Red Hat Enterprise Linux 6.4 KVM Guest Image for cloud instances had an empty root password by default. The Red Hat Security Response Team has rated this update as having [More…]
The following new features have been implemented:
[+] Running PPA behind NAT. Administrators can configure PPA to run behind a router with NAT.
The following features have been improved:
The following bugs have been fixed:
[-] Administrators could not register Windows-based service nodes if the administrator’s password contained the ^ symbol.
The following bugs have been fixed:
[-] Any installation of osTicket APS application is treated by Plesk as global helpdesk. (114056)
[-] (Windows only) Error “Component php5_4 isn’t supported” at subscription creating (131758)
[-] MySQL databases aren’t migrated from Plesk 9 and Plesk 10 if Plesk admin password containing ‘#’ symbol (120651)
[-] Upgrade php component breaks permissions on php sessions directory (91998)
The following bug has been fixed:
[-]If password is empty and this field unfocused, appear message about that password strength is “Weak” (126906)
[-](Linux only) Custom certificate isn’t applied to domain (92428)
[-](Linux only) mailmng generates a lot of “maildirsize quota header is corrupted” messages (115308)
If you are running an apache server password protecting directories is fairly simple. There are plenty of generators that will help you generate all of the code that you need to place into your .htaccess and .htpasswd files. This can […] ↓ Read the rest of this entry…
WordPress can be a bit finicky at times. I use quite a few different little tricks that I have picked up to help fix some very common problems with wordpress. Do you have any cools tricks that might make someones […] ↓ Read the rest of this entry…
The 11.0.9 MU#10 update is recommended for all Plesk users and includes general functionality fixes that improve the stability, compatibility, and security of your Plesk server.
Parallels strongly recommends to ensure optimal server reliability and security to keep your operating system up to date as well as Plesk software.
What’s Changed
The following new functionality has been added:
[+] MSSQL Server 2012 support has been added.
The following bugs have been fixed:
[-] Chained certificates bundles are be concatenated to the main certificate in nginx config (113865)
[-] PHP error_reporting per vhosts is not working due to wrongly set value (94669)
[-] Cannot change subdomain directory (112590)
[-] Impossible to add plan items provided by Google AdWords interagation module using API-RPC (115802)
[-] Link to documentation on admin’s password change screen leads to non-existing page in documentation (116440)
The following bugs have been fixed:
[-] Panel users failed to send e-mail through qmail if the IPv6 support was turned off on the Panel server and turned on on the receiving server. The mail log /usr/local/psa/var/log/maillog contained the error "System_resources_temporarily_unavailable".
[-] Panel always used the /tmp directory for storing backup temporary files during the backup download regardless of the DUMP_TMP_D value in /etc/psa/psa.conf. Panel users got the error "No space left on device" when downloading their backups if there was not enough space on the disk used by /tmp.
[-] Panel users saw wrongly encoded messages on the password retrieval page if the Panel language was set to Russian.
[-] Administarators were unable to simultaneously run multiple restoration processes of the same backup file using the pleskrestore utility.
(Dec 11) Moodle upstream has released latest stable versions (1.9.7 and 1.8.11), fixing
multiple security issues. The list for 1.9.7 release:
————————– Security issues * MSA-09-0022 – Multiple
CSRF problems fixed * MSA-09-0023 – Fixed user account disclosure in LAMS
module * MSA-09-0024 – Fixed insufficient access control in Glossary module
* MSA-09-0025 – Unneeded MD5 hashes removed from user table * MSA-09-0026 –
Fixed invalid application access control in MNET interface * MSA-09-0027 –
Ensured login information is always sent secured when using
SSL for logins * MSA-09-0028 – Passwords and secrets are no longer ever
saved in backups, new backup capabilities
moodle/backup:userinfo and moodle/restore:userinfo for
controlling who can backup/restore user data, new checks in
the security overview report help admins identify dangerous
backup permissions * MSA-09-0029 – A strong password
policy is now enabled by default, enabling password salt in
encouraged in config.php, admins are forced to change
password after the upgrade and admins can force password
change on other users via Bulk user actions *
MSA-09-0030 – New detection of insecure Flash player plugins, Moodle
won’t serve Flash to insecure plugins * MSA-09-0031 – Fixed SQL injection
in SCORM module The list for 1.8.11 release: —————————-
Security issues * MSA-09-0022 – Multiple CSRF problems fixed *
MSA-09-0023 – Fixed user account disclosure in LAMS module * MSA-09-0024 –
Fixed insufficient access control in Glossary module * MSA-09-0025 –
Unneeded MD5 hashes removed from user table * MSA-09-0026 – Fixed invalid
application access control in MNET interface * MSA-09-0027 – Ensured login
information is always sent secured when using SSL for
logins * MSA-09-0028 – Passwords and secrets are no longer ever saved in
backups, new backup capabilities moodle/backup:userinfo and
moodle/restore:userinfo for controlling who can
backup/restore user data * MSA-09-0029 – Enabling a password salt in
encouraged in config.php and admins are forced to change
password after the upgrade * MSA-09-0031 –
Fixed SQL injection in SCORM module References: ———–
http://docs.moodle.org/en/Moodle_1.9.7_release_notes
http://docs.moodle.org/en/Moodle_1.8.11_release_notes CVE Request:
———— http://www.openwall.com/lists/oss-security/2009/12/06/1
(Dec 11) Moodle upstream has released latest stable versions (1.9.7 and 1.8.11), fixing
multiple security issues. The list for 1.9.7 release:
————————– Security issues * MSA-09-0022 – Multiple
CSRF problems fixed * MSA-09-0023 – Fixed user account disclosure in LAMS
module * MSA-09-0024 – Fixed insufficient access control in Glossary module
* MSA-09-0025 – Unneeded MD5 hashes removed from user table * MSA-09-0026 –
Fixed invalid application access control in MNET interface * MSA-09-0027 –
Ensured login information is always sent secured when using
SSL for logins * MSA-09-0028 – Passwords and secrets are no longer ever
saved in backups, new backup capabilities
moodle/backup:userinfo and moodle/restore:userinfo for
controlling who can backup/restore user data, new checks in
the security overview report help admins identify dangerous
backup permissions * MSA-09-0029 – A strong password
policy is now enabled by default, enabling password salt in
encouraged in config.php, admins are forced to change
password after the upgrade and admins can force password
change on other users via Bulk user actions *
MSA-09-0030 – New detection of insecure Flash player plugins, Moodle
won’t serve Flash to insecure plugins * MSA-09-0031 – Fixed SQL injection
in SCORM module The list for 1.8.11 release: —————————-
Security issues * MSA-09-0022 – Multiple CSRF problems fixed *
MSA-09-0023 – Fixed user account disclosure in LAMS module * MSA-09-0024 –
Fixed insufficient access control in Glossary module * MSA-09-0025 –
Unneeded MD5 hashes removed from user table * MSA-09-0026 – Fixed invalid
application access control in MNET interface * MSA-09-0027 – Ensured login
information is always sent secured when using SSL for
logins * MSA-09-0028 – Passwords and secrets are no longer ever saved in
backups, new backup capabilities moodle/backup:userinfo and
moodle/restore:userinfo for controlling who can
backup/restore user data * MSA-09-0029 – Enabling a password salt in
encouraged in config.php and admins are forced to change
password after the upgrade * MSA-09-0031 –
Fixed SQL injection in SCORM module References: ———–
http://docs.moodle.org/en/Moodle_1.9.7_release_notes
http://docs.moodle.org/en/Moodle_1.8.11_release_notes CVE Request:
———— http://www.openwall.com/lists/oss-security/2009/12/06/1
The following bugs have been fixed:
[-] (Linux only) User can’t login to Plesk Panel. The following error occurs [unixODBC][MySQL][ODBC 3.51 Driver]Access denied for user ‘apsc’@’localhost’ (using password: YES). Password for APSC database is corrupted in mysql.user table after running script bootstrapper.sh with repair option (112468)
[+] MySQL ODBC 5.1.11 driver support has been added
The following bug have been fixed:
[-] XSS vulnerability in Horde IMP has been fixed (CVE-2012-0791)
[-] When admin’s password changing via ch_admin_passwd utility mysqld is running with –skip-grant-tables option
[-] Migration via rsync may fails with “pipe: Too many open files” error
[-] 10.4.4 MU#28 does not set SELinux contexts on /usr/local/psa/handlers/hooks/check-quota handler which causes mail system to go down
I see a lot of sites get hacked a ton of different ways. This is a topic, that could go on for days. There are 3 major ways, that sites get hacked bad passwords, insecure permissions, out of date software. […] ↓ Read the rest of this entry…
New syntax is:
plesk_password_changer.php <old admin password> [new admin password] [options]
Where [options] can be:
–all – [default] reset passwords for all supported entities
–admin – reset password for admin
–resellers – reset passwords for resellers
–clients – reset passwords for clients
–domains – reset passwords for main FTP account of domains
–domainadmins – reset passwords for Domain Administrators
–users – change passwords for hosting panel users
–additionalftpaccounts – reset passwords for additional FTP accounts for domains
–subdomains – reset passwords for subdomains. NOTE: For Plesk 10.x subdomains treated as domains.
–webusers – reset passwords for Web Users
–mailaccounts – reset passwords for mail accounts
For example, next command
"%plesk_dir%additionalPleskPHP5php.exe" -d safe_mode=0 plesk_password_changer.php setup s3$ret! --admin --clients
means that passwords for admin and clients will be reset, password for admin will be "s3$ret!" (without quotes)
Plesk Service Team is pleased to introduce the PBA-S+Plesk Mass Password Reset Script.
In case Plesk Panel is registered as a Plesk node in PBA-S, after resetting passwords with plesk_password_changer, integration between Plesk and PBA-S will be affected.
In order to recover integration with Plesk you need to run the following script – reset_plesk_passwords.pl – on the PBA-S management node.
This script will change passwords for Plesk instances that are stored in PBA-S database as well as admin password that is used for connecting to Plesk node.
Plesk Service Team is pleased to introduce the PBAS+Plesk Mass Password Reset Script.
In case Plesk Panel is registered as a Plesk node in PBAS, after resetting passwords with plesk_password_changer, integration between Plesk and PBAS will be affected.
In order to recover integration with Plesk you need to run the following script – reset_plesk_passwords.pl – on the PBAS management node.
This script will change passwords for Plesk instances that are stored in PBAS database as well as admin password that is used for connecting to Plesk node.
The following bugs have been fixed:
[-] Atmail upgrade failed on action ‘Inserting old Atmail database data…’
[-] Automatic key update fails if KAV additional key is installed, but KAV itself is not.
[-] Can not connect service nodes using CLI gate
[-] Cannot change FTP user’s password if “Setup of potentially insecure web scripting options” disabled on subscription
The following bugs have been fixed:
[-] Atmail upgrade failed on action ‘Inserting old Atmail database data…’
[-] Automatic key update fails if KAV additional key is installed, but KAV itself is not.
[-] Can not connect service nodes using CLI gate
[-] Cannot change FTP user’s password if “Setup of potentially insecure web scripting options” disabled on subscription
The following bugs have been fixed:
[-] Daily maintenance script fails if Plesk Acronis Backup module is installed
[-] Backup to network share doesn’t work
[-] Errors during SiteBuilder site publishing if Plesk has been installed to /var/local
[-] WatchDog can’t start sw-cp-server service after failing
[-] Applications that can not be installed in Plesk have been hidden from the Application catalog
[-] If you try to set a password for mail account that contains the symbol “£” is an error with no clear message
Plesk Panel 10.1.1 MU#13 for Windows and Linux – Product functional fixes – is available since Mar 17, 2011 through the Autoinstaller.
[-] Custom log rotation settings were not applied when upgrading Panel from 9.5.3 to 10 (default Plesk 9.5.3 settings were set).
[-] The order of CSS files for Panel top and left frames is changed; now Panel loads layout.css first.
[-] (Only for Ubuntu 8.04 and 10.04) mysqld service failed to stop after changing the administrator’s password by utility ch_admin_passwd.
[-] Panel users failed to recover their password with error PleskPermissionDeniedException.
[-] Unable to rename domains after mail data location was changed by Plesk Reconfigurator utility.
Plesk Panel 10.1.1 MU#12 – Product functional fixes – is available since Mar 10, 2011 through the Autoinstaller.
The update delivers next bug fixes:
[-] phpMyAdmin works incorrectly on Plesk for Windows with MSSQL selected as a Panel DB provider
[-] At changing password via Horde’s GUI it doesn’t synchronized with plesk’s user
[-] System user(FTP user) name on Plesk for Windows account cannot contains dots
[-] Unable to change password via Horde’s GUI
We issued security hotfix Parallels Plesk Panel 10.0.1 MU#2 – Plesk admin password changing.
The Micro-Update delivers bug fix for vulnerability that allows authorized Plesk user to change Plesk ‘admin’ password and then compromise Control Panel.
54 queries. 9.5 mb Memory usage. 0.316 seconds.