Is ProFTPD 1.3.5 package shipped with Plesk affected by CVE-2015-3306?

Created:

2016-11-16 12:56:18 UTC

Modified:

2017-04-24 11:31:54 UTC

1

Was this article helpful?


Have more questions?

Submit a request

Is ProFTPD 1.3.5 package shipped with Plesk affected by CVE-2015-3306?

Applicable to:

  • Plesk 11.0 for Linux
  • Plesk 11.5 for Linux
  • Plesk 12.0 for Linux

Question

ProFTPD 1.3.5 is affected by CVE-2015-3306 vulnerability. Does it mean that ProFTPD 1.3.5 shipped with Plesk is vulnerable too?

Answer

Currently supported Plesk versions are shipped with ProFTPD packages compiled without " mod_copy " module, e.g. Plesk 12.0.18 on CentOS 6:

# rpm -qa | grep proftp
psa-proftpd-1.3.5-cos6.build1200140529.18.x86_64
# /usr/sbin/proftpd -V | grep -i configure
configure '--with-modules=mod_ratio:mod_readme:mod_quotatab:mod_quotatab_file:mod_tls' '--enable-nls' '--enable-auth-pam' '--enable-ncurses' '--enable-ipv6' '--enable-buffer-size=8192' '--prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--libexecdir=/usr/lib64' '--datadir=/usr/share' '--sysconfdir=/etc' '--sharedstatedir=/usr/com' '--localstatedir=/var' '--libdir=/usr/lib64' '--includedir=/usr/include' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--build=x86_64-redhat-linux' '--host=x86_64-redhat-linux' 'build_alias=x86_64-redhat-linux' 'host_alias=x86_64-redhat-linux' 'CC=gcc' 'CFLAGS=-O2 -g' 'LDFLAGS=' 'CPPFLAGS=-O2 -g' 'CXX=g++' 'CXXFLAGS=-O2 -g'

In addition, you can make sure that ProFTPD is not vulnerable using the following way:

# telnet localhost 21
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 ProFTPD 1.3.5 Server (ProFTPD) [::1]
site cpfr /etc/passwd
500 'SITE CPFR' not understood
quit
221 Goodbye.

Since " mod_copy " module is not used by ProFTPD packages shipped with Plesk, it is not vulnerable to unauthenticated copying of files via SITE CPFR/CPTO commands.

Have more questions? Submit a request
Please sign in to leave a comment.