ProFTPd is an open-source, cross-platform FTP server and is one among the most popular FTP servers used in Unix-like environments. It comes pre-installed with many Linux and Unix distributions and is used by a number of popular businesses and websites including SourceForge, Samba and Slackware.
An improper access control vulnerability has been discovered in ProFTPD, which under certain conditions could be exploited to execute arbitrary code and cause information disclosure. The vulnerability is identified with CVE-2019-12815 and resides in ProFTPD’s mod_copy module. The mod_copy is enabled by default in most distributions. This allows users to copy files/directories from one place to another on a server without having to transfer the data to the client and back.
According to the ProFTPD bug report, the mod_copy module provides two custom commands SITE CPFR and SITE CPTO, which do not follow permission directions specified as per configuration and thus allow remote users to copy a file to the current folder even if they don’t have permission. The vulnerability can thus be exploited by unauthorizedly copying an executable file to a location on the server where it can be executed.
It is important to note that not every FTP server running vulnerable ProFTPD can be exploited remotely. Successful exploitation requires the following conditions:
- An attacker should be able to authenticate to the ProFTPD server either by a user account or an anonymous account.
- mod_copy module should be enabled.
- The FTP directory should also be accessible from a web server.
The vulnerability affects ProFTPD versions 1.3.4 through 1.3.6 (Note: ProFTPd 1.3.6 is also affected and does not contain the fix)
The flaw may allow remote code execution or information disclosure.
According to the ProFTPD bug report, the fix for this vulnerability was merged and backported to the version 1.3.6 branch. However, the researcher who reported this bug states in the advisory that the vulnerability was not fixed in version 1.3.6
Please refer to this KB article.