Plesk hides passwords from view in the control panel. But, sometimes you need the password to show because you forget it, or a user has changed it.
Attached is a PHP script that will show most usernames and passwords for a given hosted domain name. It shows System, Mail, Database, and Plesk usernames and passwords.
Rename the file to "reveal.php", upload to your server, and browse to the script (e.g. http://www.yourdomain.com/reveal.php ). The password is your Plesk admin password. Then put in the domain name for which you want to see passwords.
Voila!
Jim Fletcher
http://www.JimFletcher.net
Edit 6/9/07: Here's a link to the script if you can't download it: http://www.jimfletcher.net/scripts/reveal.phps
Full Version: How to: Reveal Plesk User and Mail passwords
There are some pretty large security implications here. It might be better to delete this post and instead let the Plesk people know about it so they can fix whatever is allowing the passwords to be grabbed.
-B
-B
Plesk, for 8 versions now, has stored passwords in cleartext in a MySQL database currently called 'psa'. For whatever reason, they have chosen for years not to encrypt the passwords. Same thing with the Administrative Plesk Password. It is stored in cleartext in a file called /etc/psa/.psa.shadow . This is a conscious choice by SWSoft.
Anyone can see these passwords by opening the psa database & looking in the 'accounts' table. The various logins are stored in other tables & cross-referenced to the 'accounts' password table. So right now, anyone with their Plesk admin password can, with a little effort, get these passwords. It's just a hassle. Now, with the same password, I have simplified it by writing SQL queries that automatically cross-reference the usernames and passwords.
That said, I wish the next version of Plesk would encrypt passwords stored in the database; there is absolutely no reason not to. Until they do, I like having a simple tool to access them.
In sum, you still need the Plesk admin password to get to the other passwords, so there's no additional security risk.
Anyone can see these passwords by opening the psa database & looking in the 'accounts' table. The various logins are stored in other tables & cross-referenced to the 'accounts' password table. So right now, anyone with their Plesk admin password can, with a little effort, get these passwords. It's just a hassle. Now, with the same password, I have simplified it by writing SQL queries that automatically cross-reference the usernames and passwords.
That said, I wish the next version of Plesk would encrypt passwords stored in the database; there is absolutely no reason not to. Until they do, I like having a simple tool to access them.
In sum, you still need the Plesk admin password to get to the other passwords, so there's no additional security risk.
TMX, I don't know how large the security implications are, the script is useless unless you know the servers mysql root password in order to get access to mysql and as bigben correctly points out, this is the way it always was with Plesk.
The fact that the psa database stores system password in clear text is fairly common knowledge and I dont think this post make a difference.
I agree with bigben, Plesk really should be encrypting those passwords - and in my opinion that fix is not going to happen unless someone points out the problem clearly.
One word of warning: Please don't use this script with a non-SSL website as it would make it quite easy for someone snooping on the network to sniff out the passwords.
The fact that the psa database stores system password in clear text is fairly common knowledge and I dont think this post make a difference.
I agree with bigben, Plesk really should be encrypting those passwords - and in my opinion that fix is not going to happen unless someone points out the problem clearly.
One word of warning: Please don't use this script with a non-SSL website as it would make it quite easy for someone snooping on the network to sniff out the passwords.
QUOTE (madsere)
TMX, I don't know how large the security implications are, the script is useless unless you know the servers mysql root password in order to get access to mysql and as bigben correctly points out, this is the way it always was with Plesk.
The fact that the psa database stores system password in clear text is fairly common knowledge and I dont think this post make a difference.
I agree with bigben, Plesk really should be encrypting those passwords - and in my opinion that fix is not going to happen unless someone points out the problem clearly.
One word of warning: Please don't use this script with a non-SSL website as it would make it quite easy for someone snooping on the network to sniff out the passwords.
The fact that the psa database stores system password in clear text is fairly common knowledge and I dont think this post make a difference.
I agree with bigben, Plesk really should be encrypting those passwords - and in my opinion that fix is not going to happen unless someone points out the problem clearly.
One word of warning: Please don't use this script with a non-SSL website as it would make it quite easy for someone snooping on the network to sniff out the passwords.
Agreed wholeheartedly.. Mouse
There used to be a free addon called Power Toys for Plesk that had a Password Revealer, MySQL Remote Admin User Manager, Domain, Email Subject Changer and a couple other options. I installed this and have been very satisfied with it. It adds an interface into the control panel. I see now they are charging 9.95 for this
I've previously used PowerToys ... its a decent product but with a price tag now, not worth buying. Save the $9.95, buy a hamburger and write a shell script 
Indeed, we ask now for a small fee of 9.95 ...
We consider that fee as a support for our work, and we hope that everyone can afford it.
Old version will still work for anyone who downloaded, so 3.9.1 is the lates free, 3.9.2 is for a small fee.
BUT, we will come with some nice features in the future in version 4.0. :-)
We consider that fee as a support for our work, and we hope that everyone can afford it.
Old version will still work for anyone who downloaded, so 3.9.1 is the lates free, 3.9.2 is for a small fee.
BUT, we will come with some nice features in the future in version 4.0. :-)
It's not a matter of whether it is worth it or not, this is a private support forum for EV1servers and the rules does not allow advertisment of 3rd party software.
It is not a problem, you can remove any advertising from it if is not allowed.
Thank you very much. Now I don't have to ask my clients what their passwords are when I want to check their settings...
just a note, couldn't get this to work on ver 8.1 plesk, linux, when submit it refreshes the page and its the same as it started. would be a terrific tool though.
FYI to all trying to use this script in a newer version of PHP. It doesn't work with globals set to off. I got it working by adding the following code to the top after the copyright comment section, and before:
Add this:
CODE
# Force HTTPS
Add this:
CODE
$domainname = $_REQUEST['domainname'];
$dbserver = $_REQUEST['dbserver'];
$dbname = $_REQUEST['dbname'];
$dbusername = $_REQUEST['dbusername'];
$dbpassword = $_REQUEST['dbpassword'];
$action = $_REQUEST['action'];
$dbserver = $_REQUEST['dbserver'];
$dbname = $_REQUEST['dbname'];
$dbusername = $_REQUEST['dbusername'];
$dbpassword = $_REQUEST['dbpassword'];
$action = $_REQUEST['action'];
QUOTE (analog @ Nov 12 2007, 06:36 AM) 
FYI to all trying to use this script in a newer version of PHP. It doesn't work with globals set to off. I got it working by adding the following code to the top after the copyright comment section, and before:
Add this:
CODE
# Force HTTPS
Add this:
CODE
$domainname = $_REQUEST['domainname'];
$dbserver = $_REQUEST['dbserver'];
$dbname = $_REQUEST['dbname'];
$dbusername = $_REQUEST['dbusername'];
$dbpassword = $_REQUEST['dbpassword'];
$action = $_REQUEST['action'];
$dbserver = $_REQUEST['dbserver'];
$dbname = $_REQUEST['dbname'];
$dbusername = $_REQUEST['dbusername'];
$dbpassword = $_REQUEST['dbpassword'];
$action = $_REQUEST['action'];
Thanks for the bug fix; this tool is superb.
Add this code just above the End Section 1 line to also view the Web Users (ftp accounts) associated with selected domain.
<h2>Web User Logins</h2>
<TABLE BORDER=1 CELLSPACING=1 CELLPADDING=1>
<tr valign=top>
<td>Web User</td><td>Password</td><td>Home</td>
</tr>
<?
# Run Web User Login Search
$sql = "SELECT sys_users.home AS userhome, sys_users.login AS userlogin, accounts.`password` AS userpassword FROM accounts , web_users Inner Join sys_users ON accounts.id = sys_users.account_id AND sys_users.id = web_users.sys_user_id Inner Join domains ON domains.id = web_users.dom_id WHERE domains.name = \"" . $domainname . "\"";
$aresult = mysql_query($sql);
while ($arow = mysql_fetch_array($aresult)) { ?>
<tr valign=top>
<td><? echo $arow["userlogin"]; ?></td><td><? echo $arow["userpassword"]; ?></td><td><? echo $arow["userhome"]; ?></td>
</tr>
<? } # end while ?>
</TABLE>
<? ################## END SECTION 1 ################## ?>
CODE
<h2>Web User Logins</h2>
<TABLE BORDER=1 CELLSPACING=1 CELLPADDING=1>
<tr valign=top>
<td>Web User</td><td>Password</td><td>Home</td>
</tr>
<?
# Run Web User Login Search
$sql = "SELECT sys_users.home AS userhome, sys_users.login AS userlogin, accounts.`password` AS userpassword FROM accounts , web_users Inner Join sys_users ON accounts.id = sys_users.account_id AND sys_users.id = web_users.sys_user_id Inner Join domains ON domains.id = web_users.dom_id WHERE domains.name = \"" . $domainname . "\"";
$aresult = mysql_query($sql);
while ($arow = mysql_fetch_array($aresult)) { ?>
<tr valign=top>
<td><? echo $arow["userlogin"]; ?></td><td><? echo $arow["userpassword"]; ?></td><td><? echo $arow["userhome"]; ?></td>
</tr>
<? } # end while ?>
</TABLE>
<? ################## END SECTION 1 ################## ?>
I have created some bash script that you can use to extract these details
http://gnusys.net/tag/plesk/
These scripts come in handy if you are supporting a plesk server with large number of clients/domains
It can lessen the frustration of a customer who is being asked what his user/pass is when he is having some problems with mail/ftp /database/plesk etc
http://gnusys.net/tag/plesk/
These scripts come in handy if you are supporting a plesk server with large number of clients/domains
It can lessen the frustration of a customer who is being asked what his user/pass is when he is having some problems with mail/ftp /database/plesk etc
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.