Facebook
Twitteratomicturtle
Golden Pleskian
Its not the psa-proftpd package, its whatever is managing the xinetd config file in Plesk 10. Looks like the package name has changed between 9 and 10.
-
We value your experience with Plesk during 2024
Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
Please take this short survey:
https://pt-research.typeform.com/to/AmZvSXkx -
The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
-
We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.
URGENT: security fix for psa-proftpd?
- Thread starter horst rupp
- Start date
atomicturtle
Golden Pleskian
psa-proftpd 1.3.3c-2 has been released in the [atomic] repo to support Plesk 10 environments.
horst rupp
Basic Pleskian
what is "very soon" in days?
S
stupidnic
Guest
I find it funny that the bug was raised on October 29th (with Proftpd), and presented here on November 1st, and here is it November 10th and Plesk still doesn't have a patch for an _unauthenticated_ remote exploit. Even more laughable is that a third party vendor (atomic) has had a patch out for this security exploit for over a week. There is an exploit in the wild specifically targeting Plesk installs that has been out for three days.
I found four servers that have already been compromised using this exploit. We have disabled FTP on all Debian Plesk machines to prevent further exploits (our CentOS machines already use the atomic repos and were already protected).
I have to wonder what exactly is the hold up here. If Plesk offered the source packages for Debian I would have already patched this myself a week ago (which they are required to provide under the GPL, but don't seem to offer anywhere - but that is another matter completely).
I found four servers that have already been compromised using this exploit. We have disabled FTP on all Debian Plesk machines to prevent further exploits (our CentOS machines already use the atomic repos and were already protected).
I have to wonder what exactly is the hold up here. If Plesk offered the source packages for Debian I would have already patched this myself a week ago (which they are required to provide under the GPL, but don't seem to offer anywhere - but that is another matter completely).
Last edited by a moderator:
horst rupp
Basic Pleskian
the metasploit-module is 6 days old.
S
stupidnic
Guest
Yep, and the one released on full-disclosure specifically references Plesk:
Code:
["Debian GNU/Linux 5.0, ProFTPD 1.3.2e Server (Plesk binary)",
...
["Debian GNU/Linux 5.0, ProFTPD 1.3.3 Server (Plesk binary)",
...
["Debian GNU/Linux 4.0, ProFTPD 1.3.2e Server (Plesk binary)",
...
["SUSE Linux 9.3, ProFTPD 1.3.2e Server (Plesk binary)",
...
["SUSE Linux 10.0/10.3, ProFTPD 1.3.2e Server (Plesk binary)",
...
["SUSE Linux 10.2, ProFTPD 1.3.2e Server (Plesk binary)",
...
["SUSE Linux 11.0, ProFTPD 1.3.2e Server (Plesk binary)",
...
["SUSE Linux 11.1, ProFTPD 1.3.2e Server (Plesk binary)",
...
["SUSE Linux SLES 10, ProFTPD 1.3.2e Server (Plesk binary)",
...
["CentOS 5, ProFTPD 1.3.2e Server (Plesk binary)",
...
S
stupidnic
Guest
The problem according to the proftpd bugs database was introduced in version 1.3.2rc3 of ProFTPd. Looking at a Plesk 8.6 server I can see that the server is running ProFTPd verison 1.3.2e which would appear to be affected as well.
I am curious what Parallels will say about support for that version of Plesk.
I am curious what Parallels will say about support for that version of Plesk.
T
trialot
Guest
UPDATE Solution
In my last post, I asked about the consequences of symlinking.
Still wanting some feedback, but some remarks, when using the "symlink solution with newly compiled proftpd":
A - ftpxxx tools
- /usr/bin directory has some ftpdxxxx files (ftpwho, ftpcount etc) in it,
- these files are "old" and will not work with the newer version of proftpd
- if desired (not necessary), symlink those files to the new files (in the compilation directory)
B - Modules
Standard compilation of the newer version of proftpd (just issuing ./configure without custom config file) does exclude some modules that are present in the psa-proftpd compilation.
As far as I can see, no harm in missing them, but the missing modules are:
- mod_tls
- mod_quota (in the newer version, presumably mod_quotatab)
- mod_readme
- mod_ratio
They can be found in the contrib folder of the proftpd source directory, just compile them in your own version of proftpd.
C - UNRESOLVED vulnerability: mod_site
Somehow, I do understand that the newer 1.3.3c version resolves the security issues, except for the mod_site vulnerability. Less severe, but still annoying.
Parallels, resolve that in a hotfix.
D - Post scriptum
If any reasonable compilation of proftpd results, I will give it to anybody who asks/mails.
Naturally, Parallels should be providing the hotfix and, in the meantime, hope I can help.
In my last post, I asked about the consequences of symlinking.
Still wanting some feedback, but some remarks, when using the "symlink solution with newly compiled proftpd":
A - ftpxxx tools
- /usr/bin directory has some ftpdxxxx files (ftpwho, ftpcount etc) in it,
- these files are "old" and will not work with the newer version of proftpd
- if desired (not necessary), symlink those files to the new files (in the compilation directory)
B - Modules
Standard compilation of the newer version of proftpd (just issuing ./configure without custom config file) does exclude some modules that are present in the psa-proftpd compilation.
As far as I can see, no harm in missing them, but the missing modules are:
- mod_tls
- mod_quota (in the newer version, presumably mod_quotatab)
- mod_readme
- mod_ratio
They can be found in the contrib folder of the proftpd source directory, just compile them in your own version of proftpd.
C - UNRESOLVED vulnerability: mod_site
Somehow, I do understand that the newer 1.3.3c version resolves the security issues, except for the mod_site vulnerability. Less severe, but still annoying.
Parallels, resolve that in a hotfix.
D - Post scriptum
If any reasonable compilation of proftpd results, I will give it to anybody who asks/mails.
Naturally, Parallels should be providing the hotfix and, in the meantime, hope I can help.
A
Adam Mudie
Guest
Am I Affected
Hey Guys
Are my servers afected?
[admin@au1-h1-b4-p1 ~]# proftpd -v
- ProFTPD Version 1.3.1
[admin@au1-h1-b4-p1 ~]# uname -a
Linux au1-h1-b4-p1 2.6.18-028stab060.8 #1 SMP Mon Feb 9 20:25:36 MSK 2009 x86_64 x86_64 x86_64 GNU/Linux
[root@au1-h1-b4-p1 ~]#
How can u upgrade with without yum?
I cant install atomic without yum..
Can someone give me step by step as i don't wanna break it
Cheers
Ryan
Hey Guys
Are my servers afected?
[admin@au1-h1-b4-p1 ~]# proftpd -v
- ProFTPD Version 1.3.1
[admin@au1-h1-b4-p1 ~]# uname -a
Linux au1-h1-b4-p1 2.6.18-028stab060.8 #1 SMP Mon Feb 9 20:25:36 MSK 2009 x86_64 x86_64 x86_64 GNU/Linux
[root@au1-h1-b4-p1 ~]#
How can u upgrade with without yum?
I cant install atomic without yum..
Can someone give me step by step as i don't wanna break it
Cheers
Ryan
EduardoG
Basic Pleskian
There is acritical bug and we have to wait 10 days for Parallels to release a hotfix, when official proftpd is already patched.
BTW, updating with atomic leads to another problem:
This is a terrible service from Parallels, is this what we have to expect from them? 10 days to fix a bug? Is that the price of the license?
BTW, updating with atomic leads to another problem:
Code:
Determining the packages that need to be installed.
ERROR: Unable to proceed with the installation until the package psa-proftpd-1.3.3c-2.el5.art.x86_64 is removed from the system.
Not all packages were installed.This is a terrible service from Parallels, is this what we have to expect from them? 10 days to fix a bug? Is that the price of the license?
Why does your notice continue to ignore the fact that Plesk 8 is also vulnerable?
Why do not want upgrade this very-very old Plesk version?
EduardoG
Basic Pleskian
What should we do if we applied atomic update? (as suggested at http://www.parallels.com/products/plesk/ProFTPD)
This installs right, but leads to autoinstaller error:
Should I uninstall proftpd from all servers?
Code:
A Proftpd update for Plesk has been provided by Atomic Rocket Turtle. To apply the update, execute the commands below.
# wget -O - http://www.atomicorp.com/installers/atomic |sh
# yum upgrade psa-proftpdThis installs right, but leads to autoinstaller error:
Code:
ERROR: Unable to proceed with the installation until the package psa-proftpd-1.3.3c-2.el5.art.x86_64 is removed from the system.Should I uninstall proftpd from all servers?
Similar threads
