and hosted by, is being used for a phishing attack that is endangering the public safety by attempting to fraudulently obtain personal and or sensitive data from Internet users by impersonating a trusted entity. The website using the domain name,, which is registered with eNom, Inc. seems to be a false positive, a security error cannot be reliably concluded.
I am pretty sure that Plesk Team (or Canonical Team, maintaining Ubuntu packages) will patch Roundcube packages as soon as possible - but that still does not imply that you are safe for XSS or all other kinds of attacks.įor the remainder, I fully agree with the reaction of. I still have to remember you of the quintessence of point 2 : there is nothing that can prevent that your customers act silly and click on various links that will ultimately affect your entire system.Īs a basic 101 for server infrastructure : put your mail server on a dedicated machine, in order to prevent that your mission critical servers are affected by things that you cannot prevent, such as end-customers clicking on spam links and/or spoofing and/or all kinds of other malicious stuff. and if so, then is the Plesk provided Ubuntu package. In short, the current Ubuntu package might already been patched for the specific security vulnerability. Ubuntu packages are known to have specific version numbers that can really differ from the release versions : a difference between a Ubuntu package version and a release of (let's say) Roundcube does not mean that the Ubuntu package is not patched for various improvements, bugfixes or security fixes.
The above means that one essentially gets the Ubuntu base package of Roundcube plus some (very minor) customization to fit Roundcube in the Plesk eco-environment. In the case of Roundcube, it is not that different : it is a choice made out of convenience, reliability and speed of future upgrades and improvements AND safety considerations. In essence, Plesk Team uses default packages and adds some custom config or every now and them some custom code. Now, let's turn to the main point in your post. If a "independent security check" already misses out on that check (and it will, it always will), then you have to rethink the added value of that check. In addition, I have to point out that your "rigourous security check" missed out on one particular and (very) very disturbing security issue : I will not mention it here in detail, but it is essentially that authentication to the mail server is not dependent on the domain used when authenticating via webmail clients. and every mistake your customers make, can affect the entire system maintained by the sysadmin). clicking on links cannot be prevented by a sysadmin, unless you want to re-educate all of your customers. we do not want to invite them, do we?Ģ - There is no such thing as a " independent, rigourous security check" : when it comes to mail, security is as tight as the users of the mail client or webmail client, this in the sense that nobody can prevent anybody else from doing something stupid (i.e. In response to your post, I first have to emphasize two things:ġ - Mentioning a Plesk related (potential) vulnerability on a open forum is not a good thing to do : it is an invitation to script kiddies (and decent hackers already know of lots of other and better methods to hack Plesk instances).