Hi,
We are running Virtualmin on Centos 5.5 on a VPS at RimuHosting.
Today we received notification of a sql injection vulnerability in proftpd.
See http://isc.sans.edu/diary.html?storyid=5845&rss and http://bugs.proftpd.org/show_bug.cgi?id=3173 if you are curious enough :)
Yum and Virtualmin don't offer us an update, and the change log shows no sign of this vulnerability being fixed. In fact we seem to be running 1.3.0a-3 which seems likely to be vulnerable.
The proftpd package looks like it comes from Virtualmin (although I'm a Debian guy and my rpm-fu is weak). I've checked or Debian servers and they do seem to have a patch for this issue.
If this is a Virtualmin provided package has this vulnerability been patched?
Otherwise can anyone give me a clue as to where to get a patched version?
Frankly, I'm not sure this is even an issue as to the best of my knowledge we are not using any sql backend anyway.
For now I've disabled ftp on that particular server. With luck no-one important will complain and I can disable ftp for good :)
Thanks, Neill
Howdy,
That should only cause trouble for you if you're using SQL for handling logins (and have the mod_sql ProFTPd module loaded).
That said, if the ProFTPd version being distributed has a bug like that in it, even an infrequently used one, it should certainly be fixed :-)
It does look like the version is a bit older, so my recommendation would be to file a bug report using the Support link above, and mention that the ProFTPd version being distributed for CentOS systems is older and that you've found at least one security issue with it.
Thanks!
-Eric
"Urgent Notification: Security Vulnerability to ProFTPD, a component service of Plesk:
Details of the Vulnerability or Exploit: A flaw in ProFTPD FTP server potentially allows unauthenticated attackers to compromise a server. The problem is caused by a buffer overflow in the pr_netio_telnet_gets() function for evaluating TELNET IAC sequences. ProFTPD is capable of processing TELNET IAC sequences on port 21; the sequences enable or disable certain options not supported by the Telnet or FTP protocol itself. The buffer overflow allows attackers to write arbitrary code to the application's stack and launch it. Updating to version 1.3.3c of ProFTPD solves the problem."
I spoke with Joe yesterday about getting a new ProFTPd package out. That'll be coming shortly.
However, that particular security issue is described here:
http://www.virtualmin.com/node/16253#comment-71993
That vulnerability only exists on version proftpd-1.3.2rc3 and newer.
Again though, Joe will be packaging it up shortly :-)
-Eric