Fail of PCI / DSS compliance
Description: possible vulnerability in ProFTP 1.3.3e Severity: Area of
Concern CVE: CVE-2011-4130
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4130> Impact:
Attackers exploiting these vulnerabilities may be able to execute
arbitrary commands, perhapswith root privileges, gain unauthorized
access, or disrupt service on a target system. Resolution Upgrade
[http://www.proftpd.org] ProFTPD to version
[http://www.proftpd.org/docs/RELEASE_NOT ES-1.3.3g
<http://www.proftpd.org/docs/RELEASE_NOTES-1.3.3g>] 1.3.3g (stable) or
greater. Please see the ProFTPD Project's general instructions on
[http://www.proftpd.org/docs/howto/Upgra de.html
<http://www.proftpd.org/docs/howto/Upgrade.html>] upgrading the
software. If your copy of the ProFTPD server daemon is part of a larger
software distribution, check with your software vendor for a newer or
patched version. All FTP server processes must run as root, at least
during some parts of their operation, in order to bind to the reserved
low-numbered network ports that are specified in the
[http://tools.ietf.org/html/rfc959] FTP standard. The ProFTPD Project
reminds administrators that, for greater security, the server should be
configured to [http://www.proftpd.org/docs/howto/Confi
gFile.html#Identity
<http://www.proftpd.org/docs/howto/ConfigFile.html#Identity>] run under
an unprivileged user ID at all times when root privileges are not
essential. Administrators with even stronger security requirements may
want to configure the server to [http://www.proftpd.org/docs/howto/Nonro
ot.html <http://www.proftpd.org/docs/howto/Nonroot.html>] run entirely
without root privileges, at the cost of some inconvenience. In some
cases, disallowing anonymous ftp access, or removing write permissions
from all directories accessible by anonymous ftp could serve as a
workaround. However, this will only be an effective *Solution* for those
vulnerabilities which, as noted above, require the attacker to create
files or directories on the server. You will still need to upgrade
ProFTPD to fix the other vulnerabilities. Finally, ftp access can be
restricted by using [ftp://coast.cs.purdue.edu/pub/tools/unix
/netutils/tcp_wrappers] TCP wrappers. Vulnerability Details: Service:
ftp Received: 220 ProFTPD 1.3.3e Server (ProFTPD server)
Thanks in advance for any help
RC
_______________________________________________
Blueonyx mailing list
[email protected]
http://mail.blueonyx.it/mailman/listinfo/blueonyx
