1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Critical security issue in Plesk 10 Proftpd

Discussion in 'Plesk 10.x for Linux Issues, Fixes, How-To' started by JuergenW, Nov 4, 2010.

  1. JuergenW

    JuergenW New Pleskian

    15
    85%
    Joined:
    Jun 30, 2010
    Messages:
    6
    Likes Received:
    0
    Hi Parallels-Team!

    Plesk 10 comes with ProFTPD v 1.3.3 (psa-proftpd-1.3.3-cos5.build109101020.08.x86_64 : ProFTPD -- Professional FTP Server). Unfortunately this version has a critical security issue. See http://www.h-online.com/security/news/item/Security-update-for-ProFTPD-FTP-server-1128907.html and http://bugs.proftpd.org/show_bug.cgi?id=3521:

    ------------------ begin snippet ---------------------

    Security update for ProFTPD FTP server
    A flaw in the popular ProFTPD FTP server potentially allows unauthenticated attackers to compromise a server. The problem is caused by a buffer overflow in the pr_netio_telnet_gets() function for evaluating TELNET IAC sequences.

    ProFTPD is capable of processing TELNET IAC sequences on port 21; the sequences enable or disable certain options not supported by the Telnet or FTP protocol itself. The buffer overflow allows attackers to write arbitrary code to the application's stack and launch it. Updating to version 1.3.3c of ProFTPD solves the problem.

    The update also fixes a directory traversal vulnerability which can only be exploited if the "mod_site_misc" module is loaded. This flaw could allow attackers with write privileges to leave their permitted path and delete directories or create symbolic links outside of the path. The module is not loaded or compiled by default.

    Further information about the update can be found in the release notes and in the NEWS file. As the developers have classified the release as an "important security update", all users are advised to install it as soon as possible.

    ------------------- endsnippet ----------------------

    To fix the issue ProFTPD 1.3.3c was released.

    When will Parallels provide the neccessary update for Plesk 10? Or do we have to patch ProFTPD bei ourself? For which Plesk version you´ll provide a fix?!?

    Thanks!
     
  2. kevork

    kevork Guest

    0
     
    Hello Juergen,

    Is your proftp working in your Plesk?
    Mine is 10.0.1, and ftp is totaly out of service.

    Thanks,
    Jorge.
     
  3. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    psa-proftpd 1.3.3c is available in the atomic repo. To upgrade:

    1) Add the atomic repo
    wget -O - http://www.atomicorp.com/installers/atomic |sh

    2) Upgrade psa-proftpd
    yum upgrade psa-proftpd

    Note this also includes support for clamav, rbl's, and sftp
     
  4. JuergenW

    JuergenW New Pleskian

    15
    85%
    Joined:
    Jun 30, 2010
    Messages:
    6
    Likes Received:
    0
    Yes, we are using FTP and ProFTPD.
    The atomic RPMs seem to be nice. But we´d prefer an original update from Parallels. Parallels, can you please post a short statement?

    Thanks!
     
  5. thewolf

    thewolf Regular Pleskian

    25
    57%
    Joined:
    Mar 11, 2004
    Messages:
    231
    Likes Received:
    0
    Is Parallels going to release a fixed ProFTP package for Plesk 8.6, 9.x and 10.x anytime soon?

    Thanks.
     
  6. ugr|dual

    ugr|dual New Pleskian

    22
    57%
    Joined:
    Jan 30, 2009
    Messages:
    18
    Likes Received:
    0
    this should be fixed ASAP. critical.
     
  7. thewolf

    thewolf Regular Pleskian

    25
    57%
    Joined:
    Mar 11, 2004
    Messages:
    231
    Likes Received:
    0
    Does anyone know if this vulnerability also affects the ProFTPD version shipped with Plesk 8.6 and 9.x?

    Thanks.
     
  8. Bevan

    Bevan Basic Pleskian

    23
    23%
    Joined:
    Aug 12, 2007
    Messages:
    25
    Likes Received:
    0
    http://bugs.proftpd.org/show_bug.cgi?id=3521

    I think proftpd-1.3.2 has been shipped with Plesk 9.5 for the first time. At least Plesk 9.3.0 was shipped with proftpd-1.3.1 and should not be affected by this issue.
     
  9. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,572
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
  10. tape

    tape Guest

    0
     
  11. JamieRW

    JamieRW Guest

    0
     
    Quick question, how do I disable FTP services on Debian, Pleksk 9.5.2?

    ta.
     
  12. horst rupp

    horst rupp Basic Pleskian

    23
    23%
    Joined:
    Feb 28, 2009
    Messages:
    30
    Likes Received:
    0
    don't know exactly, on centos it's started via xined so look out for /etc/xinetd.conf or /etc/xinetd.d/psa_ftp and after the change restart xinetd if "ftp localhost" still works.

    anyway, better questions would be:
    1. how do i find out if my server got hacked in the 6 days between public availibility of the crack and switching off ftp/fixing it
    2. how do i restore my backup-image from 10 days ago (because there's no perfect answer to question 1.)
     
  13. madsere

    madsere Regular Pleskian

    26
    57%
    Joined:
    May 8, 2005
    Messages:
    200
    Likes Received:
    0
    I wanted to stop the proftpd server so went to /etc/xinetd.d/ftp_psa and set "disabled" to "yes" and it stopped it. Next day however it was running again and when I checked the disabled value in ftp_psa had changed back to no.

    What's going on? Is Plesk automatically restarting it again? I didn't find a place in Plesk to manage the status of proftpd.
     
Loading...