CVE-2019-12815: ProFTPD mod_copy Remote Code Execution Vulnerability Alert

Recently, ProFTPd officially fixed an arbitrary file copy vulnerability (CVE-2019-12815). The vulnerability stems from the custom SITE CPFR and SITE CPTO operations in the mod_copy module. By issuing these two commands to ProFTPd, an attacker can copy any file on the FTP server without permission.

ProFTPD (short for Pro FTP daemon) is an FTP server. ProFTPD is Free and open-source software, compatible with Unix-like systems and Microsoft Windows (via Cygwin). Along with vsftpd and Pure-FTPd, ProFTPD is among the most popular FTP servers in Unix-like environments today. Compared to those, which focus e.g. on simplicity, speed or security, ProFTPD’s primary design goal is to be a highly feature rich FTP server, exposing a large amount of configuration options to the user. Via_Wiki

Affected version

  • ProFTPd <= 1.3.5b

 Unaffected version

  • ProFTPd 1.3.6

Solution

ProFTPd has fixed this vulnerability in the newly released version 1.3.6, and it is recommended that affected users upgrade ProFTPd to the latest version as soon as possible. Users can also disable the mod_copy module for temporary protection.

ProFTPd also released fixes for version 1.3.5 here.

Download ProFTPd 1.3.6 version here.