• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Security Issue in Proftpd in Plesk?

We would also be VERY interested if our Plesk Servers are vulnerable to this Security Issue ... and if yes - when a patch will be available (as this Bug is exploited in the wild)
thx
Andreas Schnederle-Wagner
 
@furureweb:
I know for sure that Version 1.35 of the Proftpd Server (current Stable Version) is NOT Secured as Heise Online (A Big German Security Protal) has announced.
Anway you can Download a Patch fix from the Github of Proftpd here: https://github.com/proftpd/proftpd/commit/35b65aaf7219be474f621a874ec77c85d9ec794d.patch
But you have to Compile it by yourselfe.

Currently i dont know if the Patch Fix provided on Github is working with the Plesk proftpd, since the Plesk proftpd is not 100% the Original Verison you can download from the Homepage of proftpd (its adapted to the Plesk System).
So i would NOT RECCOMEND it to download and try the fix on a live System, since as i said im not sure if it is compatible with the Plesk proftpd Version
 
According to my tests - it seems that Plesk proftpd is NOT vulnerable at all ...

Code: 
[root@server etc]# telnet localhost 21
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 ProFTPD 1.3.5 Server (ProFTPD) [::1]
site cpfr /etc/passwd
500 'SITE CPFR' not understood

Which makes sense --> proftpd -vv doesn't show mod_copy module loaded ... so I guess we are safe ... ;-)

Andreas
 
You must log in or register to reply here.

Similar threads

UHolthausen
Input Plesk user interface
Replies
2
Views
546
UHolthausen
UHolthausen
M
Issue Lets Encrypt SSL issued but the website is not secured
Replies
9
Views
2K
Kaspar@Plesk
Kaspar@Plesk
P
Resolved Issue with Subscription Backups in Plesk CLI Using FTP Storage
Replies
5
Views
1K
paolotrombini25
P
M
Resolved Plesk restore from a ZIP after server failure.
Replies
0
Views
460
mad_inventor
M
H
Question SSH user can see other subdomain directories even with chrooted shell?
Replies
3
Views
561
Raul A.
R
Back
Top