ProFTPD is an open-source and one of the most popular FTP server software used by more than one million servers all over the world. It comes pre-installed on several Linux and Unix-based distributions, including Debian. A German security researcher has revealed a security flaw that makes ProFTPD servers vulnerable to remote code execution attacks.
Tobias Madel reveals that the vulnerability exists in ProFTPD’s mod_copy module which is supplied by default in the installation of the FTP server and is enabled by default in most operating systems.
This bug exists due to an incorrect access control issue in the mod_copy module and can be exploited by an authenticated user without any write permission to copy files on the FTP server. This vulnerability can also be exploited if an anonymous user is enabled in the server settings.
SITE CPFR and SITE CPTO commands are the culprits behind this bug. These commands bypass the “Limit WRITE” DenyAll directives which allow users without write permissions to copy files to a current folder.
All versions of ProFTPD have been affected by the bug labeled as CVE-2019-12815. However, version 1.3.6 is an exception and the bug can only be exploited in 1.3.6 if you install it from sources that have been compiled before 17th July 2019.
To evade this attack, server admins must disable the mod-copy module. ProFTPD has backported a patch to 1.3.6 version and has not released a new version with a fix for the issue yet.