ProFTPD Powered FTP Servers Affected with Arbitrary File Copy Flaw

Recently a new vulnerability was found in ProFTPD that powers millions of servers worldwide. The vulnerability enables the user to copy files or directories from one location to another location on the same server without the need to first transfer the data to the client.


What is ProFTPD?

ProFTPD is a free, open-source application that allows the transfer of files and directories from the user to the server. It is compatible with all the Unix systems and with Microsoft Windows as well. It is one of the most popular FTP servers used by millions of people worldwide.


About the Vulnerability

Tobias Mädel reported a severe vulnerability of ProFPTD that could affect millions of servers online. This flaw was present in the mod_copy module of the ProFTPD software. The mod_copy file had not been included in the ProFTPD software until 2010, but it was included in later versions of this software after the version 1.3.4.

The flaw enables the user to copy files or folders from one part to the other part of the same server without the need to first transfer the data to the client and back.

In some conditions, this flaw may lead to dangerous outputs. It may lead the attacker to information disclosure or remote code execution attacks. In order to successfully use a remote code execution attack, the hacker needs to copy the malicious PHP code to the place on the server, where it can be executed.

This vulnerability is designated as CVE-2019-12815 and, it has the potential to affect all versions of ProFPTD, including its newer version as well. The new ProFTPD flaw was almost the same as the previous vulnerability that was reported four years back in the older version of ProFTPD (CVE-2015-3306), but that older vulnerability was more dangerous.

Tobias Mädel said that he reported this flaw to the ProFTPD team, but they did not respond to his statement, and the issue was not fixed. So later he contacted the Debian security team that looked upon his report and took action to fix the issue.


How it got Patched?

After the researcher reported the issue to the Debian security team, a patch was developed for the 1.3.6 version of the ProFTPD, but this patch is not yet added to the new version. Suse Linux was not affected by this vulnerability. The fix was done on July 17, 2019, but according to Mädel’s July 23 update, the vulnerability is still present in the 1.3.6 version of the software.


Tell us what you think!

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: