proftpd security vulerability??? Where can I find more info?

Status
Not open for further replies.

BianchiDude

Well-Known Member
PartnerNOC
Jul 2, 2005
619
0
166
proftpd security vulerability??? Where can I find more info?

was this on Bug Traq, I dont remember seeing anything on it.

Security At this time, it is recommended that all customers using proftpd Switch to pure-ftpd as soon as possible to eliminate a potential security hole. Please note that all released versions of proftpd are belived to be affected and the exact problem is not yet known. Customers who experience the problems switching are welcomed to bypass the normal support procedure and submit a ticket directly at http://support.cpanel.net
 

aaronray

Registered
Apr 3, 2005
1
0
151
I also can't find anything on this other than at cPanel. We have this on some of our other non cPanel machines and it's working OK, and I really don't want to switch to Pure due to its poor scalability. Can we get input from someone at cPanel as to a specific Secunia advisory or a specific bug that's reported in Bugzilla?
 

dbarclay

Registered
Mar 23, 2004
3
0
151
switch to pureFtp - FAILED

I have attempted to switch from proFtp to pureFtp but it fails.

WHM 9.9.9 cPanel 9.9.9-R14
SuSE 8.2 i686 - WHM X v3.1.0

thoughts?
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,488
35
158
cPanel Access Level
DataCenter Provider
BianchiDude said:
proftpd security vulerability??? Where can I find more info?

was this on Bug Traq, I dont remember seeing anything on it.

Security At this time, it is recommended that all customers using proftpd Switch to pure-ftpd as soon as possible to eliminate a potential security hole. Please note that all released versions of proftpd are belived to be affected and the exact problem is not yet known. Customers who experience the problems switching are welcomed to bypass the normal support procedure and submit a ticket directly at http://support.cpanel.net
This has yet to be offically confirmed. However I was personally able to get root with proftpd 1.3.0rc1, and I've been told others have had success doing so with 1.2.0.
 

manokiss

Well-Known Member
Mar 31, 2002
575
0
316
ok, but what about all the bugs pure-ftpd have? like the quota setup and those things? there will be any fix today?
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,488
35
158
cPanel Access Level
DataCenter Provider
manokiss said:
ok, but what about all the bugs pure-ftpd have? like the quota setup and those things? there will be any fix today?
The only known problem with pure-ftpd is editting the quota..which may already be fixed in edge (waiting for qa verification)
 

BianchiDude

Well-Known Member
PartnerNOC
Jul 2, 2005
619
0
166
cpanelnick said:
This has yet to be offically confirmed. However I was personally able to get root with proftpd 1.3.0rc1, and I've been told others have had success doing so with 1.2.0.
How did you get root?
 

fubfub

Registered
Jul 19, 2005
3
0
151
Well, anything that is hindering you from "releasing publicly" if this is also an issue with grsec? :)
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,488
35
158
cPanel Access Level
DataCenter Provider
fubfub said:
Well, anything that is hindering you from "releasing publicly" if this is also an issue with grsec? :)

We were not able to confirm it on more then one machine so far. At this point, its just an advisory. We feel its better to be proactive instead of reactive in the event it does turn out to be a major problem. Given that pure-ftpd has a better security history then proftpd, we feel this is the wisest course at this time.
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,488
35
158
cPanel Access Level
DataCenter Provider
cPanelBilly said:
This also will not be done.

Should we come up with a working proof of concept, it will be given to the proftpd developers so they can resolve the problem, it one does exist. Releasing it publicly at this point would be unprofessional it is still as of yet unconfirmed and would not allow people to patch affected systems before black hats got ahold of it.
 

rwoliver2

Member
Mar 15, 2005
9
0
151
Are you referring to this?

http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02

This is more of a timing issue with authentication, not really a root exploit. It would only help a hacker actually discover what usernames were valid or not, which they could do on Cpanel servers easily by using the ~username trick on the host's main IP.

Unless there's a way to get a root login or shell with ProFTPD, i'd say its reasonably safe to use, even with this security advisory.

Just my 0.02
 

manokiss

Well-Known Member
Mar 31, 2002
575
0
316
Nick,

just tested the last edge with pure-ftpd, looks like you fixed the quota problem but it continue creating the ftp username into the /etc/proftpd/accountname directory, the account work but wondering why it creating the username in the proftpd if i switched to pure.

ty!
 

gpan

Member
PartnerNOC
Feb 6, 2003
9
0
151
That's not what they are referring to - I believe its a new exploit they think is at play.
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,488
35
158
cPanel Access Level
DataCenter Provider
manokiss said:
Nick,

just tested the last edge with pure-ftpd, looks like you fixed the quota problem but it continue creating the ftp username into the /etc/proftpd/accountname directory, the account work but wondering why it creating the username in the proftpd if i switched to pure.

ty!

/etc/proftpd is used for backwards compat. It will probably get moved to /etc/vftp eventually, but since so many things rely on it being there it won't be too soon.
 
Status
Not open for further replies.