• The APS Catalog has been deprecated and removed from all Plesk Obsidian versions.
    Applications already installed from the APS Catalog will continue working. However, Plesk will no longer provide support for APS applications.
  • Please be aware: with the Plesk Obsidian 18.0.78 release, the support for the ngx_pagespeed.so module will be deprecated and removed from the sw-nginx package.

Security Issue in Proftpd in Plesk?

We would also be VERY interested if our Plesk Servers are vulnerable to this Security Issue ... and if yes - when a patch will be available (as this Bug is exploited in the wild)
thx
Andreas Schnederle-Wagner
 
@furureweb:
I know for sure that Version 1.35 of the Proftpd Server (current Stable Version) is NOT Secured as Heise Online (A Big German Security Protal) has announced.
Anway you can Download a Patch fix from the Github of Proftpd here: https://github.com/proftpd/proftpd/commit/35b65aaf7219be474f621a874ec77c85d9ec794d.patch
But you have to Compile it by yourselfe.

Currently i dont know if the Patch Fix provided on Github is working with the Plesk proftpd, since the Plesk proftpd is not 100% the Original Verison you can download from the Homepage of proftpd (its adapted to the Plesk System).
So i would NOT RECCOMEND it to download and try the fix on a live System, since as i said im not sure if it is compatible with the Plesk proftpd Version
 
According to my tests - it seems that Plesk proftpd is NOT vulnerable at all ...

Code: 
[root@server etc]# telnet localhost 21
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 ProFTPD 1.3.5 Server (ProFTPD) [::1]
site cpfr /etc/passwd
500 'SITE CPFR' not understood

Which makes sense --> proftpd -vv doesn't show mod_copy module loaded ... so I guess we are safe ... ;-)

Andreas
 
You must log in or register to reply here.

Similar threads

M
Resolved Roundcube vulnerability CVE-2025-49113
2
Replies
29
Views
13K
Sebahat.hadzhi
Sebahat.hadzhi
Hangover2
Critical security issue fixed on 24–25 February 2026 (Plesk Obsidian 18.0.75 Update 1 / 18.0.76 Update 2) — request for vulnerability details
Replies
4
Views
2K
Hangover2
Hangover2
M
Issue NetworkManager and Plesk Email Security: How to deal with conflating/ambiguous demands?
Replies
2
Views
853
MHC_1
M
H
Question Security Question: Found a "JuicyPotato.php" file in Plesk directory
Replies
7
Views
4K
hypmen
H
N
Issue 421 Misdirected Request on Apache-only Plesk server after recent Apache update (CVE-2025-23048)
Replies
2
Views
7K
NatuurlijkHosting
N
Back
Top