• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Vulnerability in ProFTP 1.3.3d (PCI Compliance)

J

JohnToTheK

New Pleskian
We are currently using Plesk Panel 10.0.0 on CentOS 4.9. I realize our server is well out of date, but due to extraneous circumstances, we haven't been able to update it.

While that is the case, we are still held to PCI compliance standards. One of their scans flagged our server with this:

possible vulnerability in ProFTP 1.3.3d

Risk: High (3)
Port: 20/tcp
Protocol: tcp
Threat ID: ftp_proftp

Details: Response Pool Use-After-Free Vulnerability

11/17/11
CVE 2011-4130
ProFTPD before 1.3.3g is prone to a vulnerability,
which can be exploited by malicious users to compromise a vulnerable system.
The vulnerability is caused due to a use-after-free error when handling response pool allocation lists and can be exploited to corrupt memory.
Successful exploitation may allow execution of arbitrary code.

Information From Target:
Service: ftp
Received: 220 ProFTPD 1.3.3d Server (ProFTPD)
Click to expand...

My question is this: is it possible to upgrade ProFTPD to at least 1.3.3g on our server? We can't use the yum command anymore, since they've turned off the repositories for our outdated server. What are our options here? Thanks so much for any advice!
 
Blake, thanks so much for the reply.

Since we are currently running CentOS 4.9, we were told that we can't update past Plesk 10.0.0, where we are now. So I have been operating under the assumption that unless we change our server, we can't update Plesk anymore.

Is that true?

If that is true, is there any other option for upgrading ProFTP, outside of upgrading Plesk?
 
CentOS 4 is actually supported up to Plesk 10.2. You could update to this version and apply all MicroUpdates to get the ProFTPd fixed version. http://download1.parallels.com/Ples...nel-10-linux-updates-release-notes.html#10212

That said, given that CentOS 4 has been EOL'ed by its vendor, I think it would be in your best interests (in terms of both PCI and security overall) to get a new server with CentOS 5 or CentOS 6 with Plesk 11.x and migrate your Plesk instance to this new server at your earliest convenience.
 
You must log in or register to reply here.

Similar threads

Automata
  • Poll
Input FEATURE REQUEST: Add SSH2 extension to PHP default extensions to improve security.
Replies
2
Views
3K
Automata
Automata
O
Question Plesk Admin Panel - Internal IP address Revealed on port 8443 (PCI Compliance Issue)
Replies
0
Views
1K
OWEUX LLC
O
Edi Duluman
Resolved How to fix the TLS Poodle PCI Compliance issue
Replies
2
Views
2K
Edi Duluman
Edi Duluman
D
PCI Compliance Issues
Replies
2
Views
2K
Jllynch
Jllynch
D
SSL/TLS Protocol Vulnerability PCI Scan
Replies
8
Views
20K
RalphP
R
Back
Top