- Plesk for Linux
Vulnerability CVE-2017-7418 was discovered in ProFTPD.
ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks.
Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user.
Call to Action
ProFTPD configured by Plesk doesn't use
The default value is
AllowChrootSymlinks on which is not affected.
So ProFTPD, which is provided by Plesk, is not affected by this vulnerability.