[BlueOnyx:23080] Re: CushyCMS and ProFTPD

Ken Hohhof khohhof at kwom.com
Fri Aug 2 10:08:46 -05 2019 

No, not there.  Is this supposed to be a global directive, or per virtual
host?  Actually there are no virtual host containers in /etc/proftpd.conf.
Should there be?

BlueOnyx version is 5208R.


-----Original Message-----
From: Blueonyx <blueonyx-bounces at mail.blueonyx.it> On Behalf Of Tobias
Gablunsky
Sent: Friday, August 2, 2019 9:41 AM
To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
Subject: [BlueOnyx:23078] Re: CushyCMS and ProFTPD

Hi Ken,

have you checked if the entra
"DefaultChdir            /web"
is still included in your /etc/proftpd.conf (resp. /etc/proftpds.conf)?

This is the entry needed for changing directory to /web by default. Maybe
this has changed through the update of proftpd?

Regards,
Tobias


> -----Original Message-----
> From: Blueonyx [mailto:blueonyx-bounces at mail.blueonyx.it] On Behalf Of 
> Ken Hohhof
> Sent: Friday, August 02, 2019 2:48 PM
> To: 'BlueOnyx General Mailing List' <blueonyx at mail.blueonyx.it>
> Subject: [BlueOnyx:23076] Re: CushyCMS and ProFTPD
> 
> It sounds like there was a genuine vulnerability that was fixed, so 
> I'm reluctant to roll back the update in order to accommodate one
customer.
> 
> Yesterday I signed up for a free Cushy account so I could reproduce 
> and troubleshoot the problem.  To my surprise ... no problem!
> 
> Here's my best guess, I think the customer's web designer who set up 
> the CMS probably used / as the path, while I used /web.  And perhaps 
> this was causing Cushy to explore directories not owned by the 
> siteadmin, like maybe php.d.
> 
> That still leaves the mystery of what changed in ProFTPd, because this 
> was working since 2016.  But I'm hoping the customer does not have the 
> path set to  /web, and that changing it will resolve the problem for 
> her.  (Note that I suspect the web designer has a branded pro account 
> from Cushy and the customer is just enrolled as an editor of her site 
> and therefore can't see or change the configuration.)
> 
> Web designers can be difficult to deal with.  They are artists!  And 
> hosting is just a commodity, low skill work by vendor scum who can be 
> replaced with the snap of a finger.
> 
> -----Original Message-----
> From: Blueonyx <blueonyx-bounces at mail.blueonyx.it> On Behalf Of 
> Michael Stauber
> Sent: Thursday, August 1, 2019 1:09 PM
> To: blueonyx at mail.blueonyx.it
> Subject: [BlueOnyx:23063] Re: CushyCMS and ProFTPD
> 
> Hi Ken,
> 
> > Since the problem started with the ProFTPd bugfix, I'm starting to 
> > wonder if CushyCMS uses the site cpfr and site cpto commands.  That 
> > seems unlikely, but I can't know for sure without signing up for a 
> > CushyCMS account myself to try it.  The only other explanation I can 
> > think of is that the bugfix had some unanticipated consequences or
> collateral damage.
> 
> Yeah, it sure is related to the update. The ProFTPd we're using now is 
> a "release candidate" and I also observed that it does a few things 
> slightly different than the last stable version that we were using. 
> The code maturity seems to have dropped a notch or two.
> 
> I don't have any other or better solution at the moment, sorry. But 
> perhaps you might temporarily go back to the last ProFTPd version that 
> worked for you?
> 
> If so, please do this:
> 
> rpm -e --nodeps proftpd
> rm /etc/proftpd.conf
> rm /etc/proftpds.conf
> 
> That removes ProFTPd. Then you can grab the last good one. As I don't 
> know which version of BlueOnyx you're using I'll be pointing you to 
> the RPMs of the individual BlueOnyx versions:
> 
> 5209R:
> 
> http://updates.blueonyx.it/pub/BlueOnyx/5200R/el7/blueonyx/x86_64/RPMS
> /pro
> ft
> pd-1.3.5e-1BX7.x86_64.rpm
> 
> 5208R:
> 
> http://updates.blueonyx.it/pub/BlueOnyx/5200R/el6/blueonyx/x86_64/RPMS
> /pro
> ft
> pd-1.3.5-1BX5.x86_64.rpm
> 
> 5207R:
> 
> http://updates.blueonyx.it/pub/BlueOnyx/5200R/el6/blueonyx/i386/RPMS/p
> roft
> pd
> -1.3.5-1BX5.i386.rpm
> 
> Install the RPM of ProFTPd applicable to your BlueOnyx version this way:
> 
> rpm -hUv <URL>
> 
> Then restart CCEd and xinetd:
> 
> /usr/sausalito/sbin/cced.init restart
> service xinetd restart
> 
> To prevent YUM from updating ProFTPd again please edit /etc/yum.conf 
> and find the lines that look like this:
> 
> ## start-yum-gui
> exclude=
> ## stop-yum-gui
> 
> Change it to this:
> 
> ## start-yum-gui
> exclude=proftpd
> ## stop-yum-gui
> 
> You actually can edit that via the GUI, too. It's under "Software Updates"
> /
> "YUM Updater" and in the "Settings" tab there is the form field 
> "Exclude these RPMS". Instead of editing /etc/yum.conf you can 
> directly write "proftpd" (without quotes) into that formfield to have 
> it excluded from YUM Updates.
> 
> --
> With best regards
> 
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
> 
> 
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx


_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list