ProFTPD on Debian Linux postinst Installation Privilege Escalation

This script is Copyright (C) 2003-2013 Tenable Network Security, Inc.

Synopsis :

The remote FTP server is affected by several flaws.

Description :

The following problems have been reported for the version of proftpd in
Debian 2.2 (potato):

1. There is a configuration error in the postinst script, when the user
enters 'yes', when asked if anonymous access should be enabled.
The postinst script wrongly leaves the 'run as uid/gid root'
configuration option in /etc/proftpd.conf, and adds a
'run as uid/gid nobody' option that has no effect.

2. There is a bug that comes up when /var is a symlink, and
proftpd is restarted. When stopping proftpd, the /var
symlink is removed; when it's started again a file named
/var is created.

Solution :

Upgrade your proftpd server to proftpd-1.2.0pre10-2.0potato1

Risk factor :

Medium / CVSS Base Score : 5.8

Family: FTP

Nessus Plugin ID: 11450 ()

Bugtraq ID:

CVE ID: CVE-2001-0456

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now