A critical security issues has been discovered in ProFTPd. This is the FTP server supplied with Plesk.
Today Plesk has announce a patch for the issue:
http://kb.parallels.com/en/9294
History on this issue can be found here:
http://bugs.proftpd.org/show_bug.cgi?id=3521
There was considerable confusion about this issue and what versions of Plesk are impacted. As we understand it, Plesk <= 9.3 is not impacted.
According to the ProFTPd bug reports:
If you FTP into your server, the ProFTP version will be displayed:
If your version is 1.3.2rc3 or later, then review the Plesk information about fixing the issue.
There was another Plesk announcement yesterday, but some of the information at that time was incorrect:
http://www.parallels.com/products/plesk/ProFTPD
If you are unsure about your FTP, use Plesk's firewall module to block FTP and/or disable FTP at the command line:
Today Plesk has announce a patch for the issue:
http://kb.parallels.com/en/9294
History on this issue can be found here:
http://bugs.proftpd.org/show_bug.cgi?id=3521
There was considerable confusion about this issue and what versions of Plesk are impacted. As we understand it, Plesk <= 9.3 is not impacted.
According to the ProFTPd bug reports:
If you FTP into your server, the ProFTP version will be displayed:
Code:
Connected to localhost.localdomain.
220 ProFTPD 1.3.1 Server (ProFTPD) [127.0.0.1]
500 AUTH not understood
500 AUTH not understoodIf your version is 1.3.2rc3 or later, then review the Plesk information about fixing the issue.
There was another Plesk announcement yesterday, but some of the information at that time was incorrect:
http://www.parallels.com/products/plesk/ProFTPD
If you are unsure about your FTP, use Plesk's firewall module to block FTP and/or disable FTP at the command line:
Code:
chkconfig ftp_psa off
service xinetd restart