A popular open-source FTP server software – ProFTPD – used by over a million webmasters around the world has a major security flaw. According to a German security researcher, who uncovered this ProFTPD vulnerability, the software is subject to remote code execution attacks. Why is this important? ProFTPD comes pre-installed on multiple Unix-based distributions, including Debian – a frequently used choice.
This security flaw was uncovered in the mod_copy module, which comes with the base installation of ProFTPD. The module is also by default, enabled upon installation.
The root of the problem lies in an access control issue. The mod_copy module can be taken advantage of by a user without write permission or proper authentication. If a server using ProFTPD has anonymous user access enabled, this vulnerability becomes even more dangerous.
Bad actors can bypass the “Limit WRITE” DenyAll directives by using the SITE CPFR and SITE CPTO commands. The mentioned directives are the ones that allow copying files to a folder, even without permission. That means that a remote code execution attack can give an unauthorized user administrative privileges. Most of the time these attacks attempt to download and run crypto-mining malware, which uses up a server’s CPU.
The only ProFTPD version not affected by the bug – documented as CVE-2019-12815 – is 1.3.6. It’s worth mentioning that the update is unsafe if you installed it from sources compiled before July 17, 2019.
Disabling the mod_copy module is the only effective way to protect yourself from this ProFTPD vulnerability. The Software rolled back to version 1.3.6 in an attempt to protect users but did not release a patch to fix this bug as of the time of writing.