I have recently become aware of new (to me) attacks against ProFTPd on a Virtualmin Pro server running Ubuntu 14.04 LTS.
There is, apparently, no updated ‘proftpd’ package for Ubuntu 14.04 LTS and the included version is (apparently) vulnerable.
Is this something I should worry about?
Or does the Virtualmin implementation of ProFTPd mitigate this issue?
What have other Virtualmin admins done to mitigate this issue?
For now, I have commented out the mod_copy module in /etc/proftpd/modules.conf and restarted the daemon. I don’t know how successful this was nor do I know that it won’t cause problems for users. Has anyone else tried this?
Thanks in advance for any comments,
Virtualmin on Ubuntu does not mitigate the issue. It’s a bit more difficult to exploit since it needs a world-writable, predictable directory path. But if you have ProFTPd combined with that and a PHP interpreter, this is pretty disastrous.
I recently packaged the upstream fix as a backported patch for ProFTPd in 12.04 and 14.04. Please visit https://bugs.launchpad.net/ubuntu/+source/proftpd-dfsg/+bug/1462311 and indicate that you’re affected. It’s waiting on a member of the MOTU security team to review and sponsor my patch.