[BlueOnyx:23078] Re: CushyCMS and ProFTPD

Tobias Gablunsky t.gablunsky at cbxnet.de
Fri Aug 2 09:40:32 -05 2019 

Hi Ken,

have you checked if the entra
"DefaultChdir            /web"
is still included in your /etc/proftpd.conf (resp. /etc/proftpds.conf)?

This is the entry needed for changing directory to /web by default. Maybe this has changed through the update of proftpd?

Regards,
Tobias


> -----Original Message-----
> From: Blueonyx [mailto:blueonyx-bounces at mail.blueonyx.it] On Behalf Of Ken
> Hohhof
> Sent: Friday, August 02, 2019 2:48 PM
> To: 'BlueOnyx General Mailing List' <blueonyx at mail.blueonyx.it>
> Subject: [BlueOnyx:23076] Re: CushyCMS and ProFTPD
> 
> It sounds like there was a genuine vulnerability that was fixed, so I'm
> reluctant to roll back the update in order to accommodate one customer.
> 
> Yesterday I signed up for a free Cushy account so I could reproduce and
> troubleshoot the problem.  To my surprise ... no problem!
> 
> Here's my best guess, I think the customer's web designer who set up the
> CMS
> probably used / as the path, while I used /web.  And perhaps this was
> causing Cushy to explore directories not owned by the siteadmin, like
> maybe
> php.d.
> 
> That still leaves the mystery of what changed in ProFTPd, because this was
> working since 2016.  But I'm hoping the customer does not have the path
> set
> to  /web, and that changing it will resolve the problem for her.  (Note
> that
> I suspect the web designer has a branded pro account from Cushy and the
> customer is just enrolled as an editor of her site and therefore can't see
> or change the configuration.)
> 
> Web designers can be difficult to deal with.  They are artists!  And
> hosting
> is just a commodity, low skill work by vendor scum who can be replaced
> with
> the snap of a finger.
> 
> -----Original Message-----
> From: Blueonyx <blueonyx-bounces at mail.blueonyx.it> On Behalf Of Michael
> Stauber
> Sent: Thursday, August 1, 2019 1:09 PM
> To: blueonyx at mail.blueonyx.it
> Subject: [BlueOnyx:23063] Re: CushyCMS and ProFTPD
> 
> Hi Ken,
> 
> > Since the problem started with the ProFTPd bugfix, I'm starting to
> > wonder if CushyCMS uses the site cpfr and site cpto commands.  That
> > seems unlikely, but I can't know for sure without signing up for a
> > CushyCMS account myself to try it.  The only other explanation I can
> > think of is that the bugfix had some unanticipated consequences or
> collateral damage.
> 
> Yeah, it sure is related to the update. The ProFTPd we're using now is a
> "release candidate" and I also observed that it does a few things slightly
> different than the last stable version that we were using. The code
> maturity
> seems to have dropped a notch or two.
> 
> I don't have any other or better solution at the moment, sorry. But
> perhaps
> you might temporarily go back to the last ProFTPd version that worked for
> you?
> 
> If so, please do this:
> 
> rpm -e --nodeps proftpd
> rm /etc/proftpd.conf
> rm /etc/proftpds.conf
> 
> That removes ProFTPd. Then you can grab the last good one. As I don't know
> which version of BlueOnyx you're using I'll be pointing you to the RPMs of
> the individual BlueOnyx versions:
> 
> 5209R:
> 
> http://updates.blueonyx.it/pub/BlueOnyx/5200R/el7/blueonyx/x86_64/RPMS/pro
> ft
> pd-1.3.5e-1BX7.x86_64.rpm
> 
> 5208R:
> 
> http://updates.blueonyx.it/pub/BlueOnyx/5200R/el6/blueonyx/x86_64/RPMS/pro
> ft
> pd-1.3.5-1BX5.x86_64.rpm
> 
> 5207R:
> 
> http://updates.blueonyx.it/pub/BlueOnyx/5200R/el6/blueonyx/i386/RPMS/proft
> pd
> -1.3.5-1BX5.i386.rpm
> 
> Install the RPM of ProFTPd applicable to your BlueOnyx version this way:
> 
> rpm -hUv <URL>
> 
> Then restart CCEd and xinetd:
> 
> /usr/sausalito/sbin/cced.init restart
> service xinetd restart
> 
> To prevent YUM from updating ProFTPd again please edit /etc/yum.conf and
> find the lines that look like this:
> 
> ## start-yum-gui
> exclude=
> ## stop-yum-gui
> 
> Change it to this:
> 
> ## start-yum-gui
> exclude=proftpd
> ## stop-yum-gui
> 
> You actually can edit that via the GUI, too. It's under "Software Updates"
> /
> "YUM Updater" and in the "Settings" tab there is the form field "Exclude
> these RPMS". Instead of editing /etc/yum.conf you can directly write
> "proftpd" (without quotes) into that formfield to have it excluded from
> YUM
> Updates.
> 
> --
> With best regards
> 
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
> 
> 
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list