Article ID: 126172, created on Jul 13, 2015, last review on Jul 13, 2015

  • Applies to:
  • Plesk 12.0 for Linux
  • Plesk 11.0 for Linux
  • Plesk 11.5 for Linux


ProFTPD 1.3.5 is affected by CVE-2015-3306 vulnerability. Does it mean that ProFTPD 1.3.5 shipped with Plesk is vulnerable too?


Currently supported Plesk versions are shipped with ProFTPD packages compiled without "mod_copy" module, e.g. Plesk 12.0.18 on CentOS 6:

# rpm -qa | grep proftp
# /usr/sbin/proftpd -V | grep -i configure
   configure  '--with-modules=mod_ratio:mod_readme:mod_quotatab:mod_quotatab_file:mod_tls' '--enable-nls' '--enable-auth-pam' '--enable-ncurses' '--enable-ipv6' '--enable-buffer-size=8192' '--prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--libexecdir=/usr/lib64' '--datadir=/usr/share' '--sysconfdir=/etc' '--sharedstatedir=/usr/com' '--localstatedir=/var' '--libdir=/usr/lib64' '--includedir=/usr/include' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--build=x86_64-redhat-linux' '--host=x86_64-redhat-linux' 'build_alias=x86_64-redhat-linux' 'host_alias=x86_64-redhat-linux' 'CC=gcc' 'CFLAGS=-O2 -g' 'LDFLAGS=' 'CPPFLAGS=-O2 -g' 'CXX=g++' 'CXXFLAGS=-O2 -g'

In addition, you can make sure that ProFTPD is not vulnerable using the following way:

# telnet localhost 21
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 ProFTPD 1.3.5 Server (ProFTPD) [::1]
site cpfr /etc/passwd
500 'SITE CPFR' not understood
221 Goodbye.

Since "mod_copy" module is not used by ProFTPD packages shipped with Plesk, it is not vulnerable to unauthenticated copying of files via SITE CPFR/CPTO commands.

Search Words


a914db3fdc7a53ddcfd1b2db8f5a1b9c 56797cefb1efc9130f7c48a7d1db0f0c 29d1e90fd304f01e6420fbe60f66f838 01bc4c8cf5b7f01f815a7ada004154a2 0a53c5a9ca65a74d37ef5c5eaeb55d7f aea4cd7bfd353ad7a1341a257ad4724a 2a5151f57629129e26ff206d171fbb5f e335d9adf7edffca6a8af8039031a4c7

Email subscription for changes to this article
Save as PDF