ProFTPD Remote Code Execution Vulnerability and Exploit
A flaw in the popular ProFTPD FTP server potentially allows unauthenticated attackers to compromise a server. The problem is caused by a buffer overflow in the pr_netio_telnet_gets() function for evaluating TELNET IAC sequences.
ProFTPD bug report: http://bugs.proftpd.org/show_bug.cgi?id=3521
Fixes for the vulnerabilty and exploit.
Parallels has used its micro-update patch functionality in Plesk 9.5x, Plesk 10, and Small Business Panel 10.2 to fix this exploit. You can run the Parallels AutoInstaller to fix this or check the Updates section of your Plesk Panel 9.5x, Plesk 10, or Small Business Panel 10.2 to fix this. This is a file-replace, as opposed to a new install so it will be quick and reliable. To find this in the GUI:
Parallels Plesk Panel 10.x: “Server Management” -> “Tools & Utilities” -> “Updates” -> “Update Components” -> click “Continue”
Scanning Hosts with Nmap for vulnerability assessment.
Using Nmap
Nmap can be run from a shell prompt by typing the nmap command followed by the hostname or IP address of the machine to scan.
Administrators can use Nmap on a network to find host systems and open ports on those systems.
Nmap is a popular tool included in Red Hat Enterprise Linux that can be used to determine the layout of a network. Nmap has been available for many years and is probably the most often used tool when gathering information. An excellent man page is included that provides a de-
tailed description of its options and usage.
Nmap is a competent first step in vulnerability assessment. You can map out all the hosts within your network and even pass an option that allows Nmap to attempt to identify the operating system running on a particular host.
# nmap 127.0.0.1
Starting Nmap 4.76 ( http://nmap.org ) at 2009-10-16 16:05 EDT
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
3128/tcp open squid-http
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
For more information about using Nmap, refer to the official homepage at the following URL: http://www.insecure.org/
Preventing potential cross-site scripting vulnerability
There is a security issue related to Acrobat Reader version 7.08 and earlier versions . The flaw let hackers use a technique known as cross-site scripting, in which they blend malicious JavaScript with a link to a Portable Document Format (PDF) file on a Web site to hijack a user’s computer.
There is a server wide workaround for those who do not have the latest versions.
1 Search DefaultType in /usr/local/apache/conf/httpd.conf
After “DefaultType text/plain”
Add
AddType application/octect-stream .pdf
2 Next Enable mod_headers and check the version of apache (go to the specified directory)
cd /home/cpapachebuild/buildapache/apache_1.3.37/src/modules/standard
/usr/local/apache/bin/apxs -c mod_headers.c
/usr/local/apache/bin/apxs -i -a -n headers mod_headers.so
3 Search modsec in /usr/local/apache/conf/httpd.conf after the line add the following.
<IfModule mod_headers.c>
<FilesMatch “\.pdf$”>
Header append Content-Disposition “attachment;”
</FilesMatch>
</IfModule>
4 Restart apache