Article ID: 122625, created on Aug 13, 2014, last review on Oct 6, 2014

  • Applies to:
  • Operations Automation 5.5
  • Operations Automation 5.4
  • Business Automation 5.5
  • Business Automation 5.4

Symptoms

Resellers can access the details of other resellers within the Parallels Operations Automation (POA) control panel.

When accessing Users > Locked Users > Lockout History > someuser, a reseller could change details, permissions and services for another reseller’s customer by bringing up another customer, or the error Member #XXX does not exist is shown.

In poa.debug.log:

Aug 12 15:04:24 POACORE : DBG [UI:7e7c1dad:1407852264490 1:6720:34dc lib]: CORBA_OTHER <0> IDL:Plesk/LoginRestrictions/RestrictionsManagerPrivate:1.0::getLockoutHistory
Aug 12 15:04:24 POACORE : DBG [UI:7e7c1dad:1407852264490 1:6720:34dc AccountManagement]: [Plesk::LoginRestrictions::LoginRestrictions_impl::getLockoutHistory] ===> ENTRY
Aug 12 15:04:24 POACORE : DBG [UI:7e7c1dad:1407852264490 1:12204:1c84 Kernel]: STMT [Con: 228, 24E32C18] ' SELECT account_id, owner_id, account_type, company_name, is_personal, is_locked, path, rt_instance_id, ext_system_id, ext_account_id, c_time, note FROM accounts  WHERE account_id = ?'($0 = 1002147)
Aug 12 15:04:24 POACORE : DBG [UI:7e7c1dad:1407852264490 1:6720:34dc lib]: [AutoDisposableServantActivator::activate_object] ===> ENTRY
Aug 12 15:04:24 POACORE : DBG [UI:7e7c1dad:1407852264490 1:6720:34dc lib]: [AutoDisposableServantActivator::activate_object] <=== EXIT [0.000000]
Aug 12 15:04:24 POACORE : DBG [UI:7e7c1dad:1407852264490 1:6720:34dc AccountManagement]: [Plesk::LoginRestrictions::LoginRestrictions_impl::getLockoutHistory] <=== EXIT [0.000000]
Aug 12 15:04:24 POACORE : DBG [UI:7e7c1dad:1407852264490 1:6720:34dc lib]: CORBA_OTHER </0> OK
Aug 12 15:04:24 POACORE : DBG [UI:7e7c1dad:1407852264490 1:6720:34dc lib]: CORBA_OTHER <0> IDL:psa.parallels.com/PagingIterator:1.0::getNextNfromOff
Aug 12 15:04:24 POACORE : DBG [UI:7e7c1dad:1407852264490 1:12204:1c84 Kernel]: STMT [Con: 228, 24E32C18] 'SELECT COUNT(*) FROM  ui_locked_users_archive lu LEFT OUTER JOIN accounts a ON (lu.account_id = a.account_id) LEFT OUTER JOIN (SELECT u.user_id AS user_id, i.login AS login, u.type AS type FROM users u JOIN identities i ON i.identity_id = u.auth_identity_id ) u ON u.login = lu.username WHERE  ( a.path >=  ?  AND  a.path <  ? )  AND locked >=  ?'($0 = 'x1x1002147', $1 = 'x1x1002147y', $2 = '2014-07-13 15:04:24.000000')
Aug 12 15:04:24 POACORE : DBG [UI:7e7c1dad:1407852264490 1:12204:1ca0 Kernel]: STMT [Con: 228, 24E32C18] 'WITH out4BCE2 AS (
Aug 12 15:04:24 POACORE : DBG [UI:7e7c1dad:1407852264490 1:12204:1ca0 Kernel]: SELECT inr4BCE3.*, ROW_NUMBER() OVER(ORDER BY inr4BCE3.username) AS num4BCE4
Aug 12 15:04:24 POACORE : DBG [UI:7e7c1dad:1407852264490 1:12204:1ca0 Kernel]: FROM (
Aug 12 15:04:24 POACORE : DBG [UI:7e7c1dad:1407852264490 1:12204:1ca0 Kernel]: SELECT company_name, lu.username, u.user_id AS member_id, u.user_id, ip_address, locked, unlock_on, lu.account_id, u.type FROM  ui_locked_users_archive lu LEFT OUTER JOIN accounts a ON (lu.account_id = a.account_id) LEFT OUTER JOIN (SELECT u.user_id AS user_id, i.login AS login, u.type AS type FROM users u JOIN identities i ON i.identity_id = u.auth_identity_id ) u ON u.login = lu.username WHERE  ( a.path >=  ?  AND  a.path <  ? )  AND locked >=  ?
Aug 12 15:04:24 POACORE : DBG [UI:7e7c1dad:1407852264490 1:12204:1ca0 Kernel]: ) AS inr4BCE3
Aug 12 15:04:24 POACORE : DBG [UI:7e7c1dad:1407852264490 1:12204:1ca0 Kernel]: )
Aug 12 15:04:24 POACORE : DBG [UI:7e7c1dad:1407852264490 1:12204:1ca0 Kernel]: SELECT * FROM out4BCE2
Aug 12 15:04:24 POACORE : DBG [UI:7e7c1dad:1407852264490 1:12204:1ca0 Kernel]: WHERE num4BCE4 BETWEEN 1 AND 2'($0 = 'x1x1002147', $1 = 'x1x1002147y', $2 = '2014-07-13 15:04:24.000000')
Aug 12 15:04:24 POACORE : DBG [UI:7e7c1dad:1407852264490 1:6720:34dc lib]: CORBA_OTHER </0> OK
Aug 12 15:04:28 POACORE : DBG [UI:7e7c1dad:1407852268646 1:6720:2088 lib]: CORBA_OTHER <0> IDL:psa.parallels.com/Account:1.0::getUserIDByMemberID
Aug 12 15:04:28 POACORE : DBG [UI:7e7c1dad:1407852268646 1:6720:2088 AccountManagement]: [Account_impl::getUserIDByMemberID] ===> ENTRY
Aug 12 15:04:28 POACORE : DBG [UI:7e7c1dad:1407852268646 1:12204:1c8c Kernel]: STMT [Con: 256, 28E42EE8] ' SELECT user_id FROM users  WHERE member_id =  ?  AND type= ?'($0 = 1013813, $1 = 'member')
Aug 12 15:04:28 POACORE : DBG [UI:7e7c1dad:1407852268646 1:6720:2088 AccountManagement]: [Account_impl::getUserIDByMemberID] <=== EXIT [0.046876]
Aug 12 15:04:28 POACORE : DBG [UI:7e7c1dad:1407852268646 1:6720:2088 lib]: CORBA_OTHER </0> OK
Aug 12 15:04:28 POACORE : DBG [UI:7e7c1dad:1407852268693 1:6720:2088 lib]: CORBA_OTHER <0> IDL:psa.parallels.com/Account:1.0::getAccountMember
Aug 12 15:04:28 POACORE : DBG [UI:7e7c1dad:1407852268693 1:6720:2088 AccountManagement]: [Account_impl::getAccountMember] ===> ENTRY
Aug 12 15:04:28 POACORE : DBG [UI:7e7c1dad:1407852268693 1:12204:1c8c Kernel]: STMT [Con: 252, 203AF8D8] ' SELECT scope_id AS account_id, user_id, is_enabled, member_id FROM users WHERE user_id = ?  AND type = ?'($0 = 3091245, $1 = 'member')
Aug 12 15:04:28 POACORE : DBG [UI:7e7c1dad:1407852268693 1:6720:2088 AccountManagement]: [Account_impl::getAccountMember] <=== EXIT [0.000000]
Aug 12 15:04:28 POACORE : DBG [UI:7e7c1dad:1407852268693 1:6720:2088 lib]: CORBA_OTHER </0> OK
Aug 12 15:04:28 POACORE : DBG [UI:7e7c1dad:1407852268693 1:6720:2088 lib]: CORBA_OTHER <0> IDL:psa.parallels.com/Account:1.0::getAccount
Aug 12 15:04:28 POACORE : DBG [UI:7e7c1dad:1407852268693 1:6720:2088 AccountManagement]: [Account_impl::getAccount] ===> ENTRY
Aug 12 15:04:28 POACORE : DBG [UI:7e7c1dad:1407852268693 1:12204:1c8c Kernel]: STMT [Con: 252, 203AF8D8] ' SELECT account_id, owner_id, account_type, company_name, is_personal, is_locked, path, rt_instance_id, ext_system_id, ext_account_id, c_time, note FROM accounts  WHERE account_id = ?'($0 = 1012465)
Aug 12 15:04:28 POACORE : DBG [UI:7e7c1dad:1407852268693 1:6720:2088 AccountManagement]: [Account_impl::getAccount] <=== EXIT [0.000000]
Aug 12 15:04:28 POACORE : DBG [UI:7e7c1dad:1407852268693 1:6720:2088 lib]: CORBA_OTHER </0> OK

Cause

The problem is caused by a known bug with the ID POA-87325.

Resolution

A hotfix request has been submitted.

Search Words

Reseller Customer Control Vulnerability

Other

PARALLELS – SECURITY ADVISORY: Reseller Customer Control Vulnerability

bug

locked users

Obtain Hotfix

PARALLELS ­ SECURITY ADVISORY: Reseller Customer Control Vulnerability

5b048d9bddf8048a00aba7e0bdadef37 caea8340e2d186a540518d08602aa065 5356b422f65bdad1c3e9edca5d74a1ae 2554725ed606193dd9bbce21365bed4e e12cea1d47a3125d335d68e6d4e15e07 198398b282069eaf2d94a6af87dcb3ff 210d017ddc3a076d22f0f865b1cf0730 92711db0799e8aefe8e51f12dace0496 801221f8cd76fba7300d1e6817c8e08b ac82ce33439a9c1feec4ff4f2f638899

Email subscription for changes to this article
Save as PDF