Server Buddies
Server Buddies info@serverbuddies.com Server Management Offline Live Support English
Eng
Server Management
Spanish
Spa
     
Providing Dedicated Server Solutions Just a Click AWAY
Home
Services
Order
Support
News
Contact Us
About Us
server management
Empty
Cpanel Support
Plesk Support
Ensim Support
Webmin Support
Directadmin Support
Empty
We Accept
We accept Visa, Mastercard, Discover and American Express credit cards.
Paypal is also accepted. The email address to use to make PayPal payment to us is:
order@serverbuddies.com
Paypal Accepted Paypal Accepted
2Checkout



Empty
Testimonials
EXCELLENT WORK. Fixed all my problems in a fast, professional and effective manner. Will use for any other Server issues I encounter!
Advanced Phase.
See more reviews
Empty
News

Plesk - ProFTPD Remote Code Execution Vulnerability and Exploit

11-11-2010

Important Plesk Notification:

ProFTPD Remote Code Execution Vulnerability and Exploit.
A flaw in the popular ProFTPD FTP server potentially allows unauthenticated attackers to compromise a server. The problem is caused by a buffer overflow in the pr_netio_telnet_gets() function for evaluating TELNET IAC sequences.

ProFTPD bug report: http://bugs.proftpd.org/show_bug.cgi?id=3521

Parallels Plesk Panel 9.x, 9.5x and 10 include this vulnerability.

Parallels will issue Micro Updates (hotfixes) for 9.5.2 and 9.5.3 no later than 12:00 GMT (noon) on Thursday November 11, (7:00am EST in the US) to fix this.

The patch for Parallels Plesk Panel 10.01 will be released at 17:00 GMT on Thursday November 11, (12:00pm EST in the US).

Patches for Plesk 9.0, 9.22, and 9.3 will be posted by 12 noon GMT on Friday November 12, (7am EST in the US).

Parallels updates on this will be coming soon.

MORE INFORMATION:

Updating to ProFTPD version 1.3.3c or disabling FTP services is the only current solution to this vulnerability.

ProFTPD is capable of processing TELNET IAC sequences on port 21; the sequences enable or disable certain options not supported by the Telnet or FTP protocol itself.

The buffer overflow allows attackers to write arbitrary code to the application’s stack and launch it. Updating to version 1.3.3c of ProFTPD solves the problem.

The update also fixes a directory traversal vulnerability which can only be exploited if the “mod_site_misc” module is loaded.

This flaw could allow attackers with write privileges to leave their permitted path and delete directories or create symbolic links outside of the path.

A remote root exploit is available: [Full-disclosure]ProFTPD IAC Remote Root Exploit

Customers willing to have their server patched will require to purchase a 1x Hour of Support plan, which costs $35.

Feel free to contact us if you have any questions!

Remember, we listen to you! Any comments/suggestions should be sent to info@serverbuddies.com.

 
RedHat Support Debian Support Gentoo Linux Support FreeBSD Linux Fedora Support Ubuntu Support CentOS Support SuSe Support
Home | Services | Order | Support | News | About Us | Contact | Site Map | Refund & Privacy Policy | Blog