- Plesk 11.x for Linux
- Plesk 12.0 for Linux
ProFTPD 1.3.5 is affected by CVE-2015-3306 vulnerability. Does it mean that ProFTPD 1.3.5 shipped with Plesk is vulnerable too?
Note: non-technical guys: no, it is not affected.
Currently supported Plesk versions are shipped with ProFTPD packages compiled without "
" module, e.g. Plesk Onyx 17.5 on CentOS 6:
# rpm -qa | grep psa-proftpd
# /usr/sbin/proftpd -V | grep -i configure | grep mod_copy
In addition, to make sure that ProFTPD is not vulnerable:
# telnet localhost 21
Connected to localhost.
Escape character is '^]'.
220 ProFTPD 1.3.5 Server (ProFTPD) [::1]
site cpfr /etc/passwd
500 'SITE CPFR' not understood
" module is not used by ProFTPD packages shipped with Plesk, it is not vulnerable to unauthenticated copying of files via SITE CPFR/CPTO commands.