vulnerability in ProFTPd

Active8

Verified User
Joined
Jul 13, 2013
Messages
1,762
I'm not sure of this is the right place but just saw this:

ProFTPd CVE-2019-12815
published 18.07.2019
ID: CVE-2019-12815
Title: ProFTPd mod_copy - arbitrary file copy without authentication
Release Date: 2019-07-18
Severity: Important
Overview:
Tobias Mädel has identified a vulnerability in ProFTPd's mod_copy. mod_copy is supplied in the default installation of ProFTPd and is enabled by default in most distributions (e.g. Debian).

Details:
1: CVE-2019-12815: mod_copy Incorrect Access Control
Description: Issueing CPFR, CPTO commands to a ProFTPd server allows users without write permissions to copy any file on the FTP server.
Fix: https://github.com/proftpd/proftpd/pull/816
Workaround #1: Disable mod_copy in the ProFTPd configuration file.

ProFTPd Bugtracker: http://bugs.proftpd.org/show_bug.cgi?id=4372
--------------------------------------------------------------------------------
Found a workaorund (not tested):

To disable mod_copy please follow the instructions below:

nano /etc/proftpd/modules.conf
Find the line that contains LoadModule mod_copy.c
Insert a '#' at the start of the line so that it reads #LoadModule mod_copy.c
Save the file
Restart proftpd
------------------------------------------------------------------------------


https://tbspace.de/cve201912815proftpd.html

EDIT:
New DA installations are shipped with PureFTP but old one where with ProFTPd
I have checked my config and could not find: LoadModule mod_copy.c

Probably DA does not build this as default, can someone from staff confirm this ?
 
Last edited:
ProFTPD CVE-2019-12815

CVE-2019-12815 is a CRITICAL vulnerability in ProFTPD - all versions up to the current one. It affects the mod_copy module which (at least on my FreeBSD server) is not loaded by default by the Custombuild:

Code:
root@srv2:~ # proftpd -l
Compiled-in modules:
  mod_core.c
  mod_xfer.c
  mod_rlimit.c
  mod_auth_unix.c
  mod_auth_file.c
  mod_auth.c
  mod_ls.c
  mod_log.c
  mod_site.c
  mod_delay.c
  mod_facts.c
  mod_dso.c
  mod_ident.c
  mod_ratio.c
  mod_readme.c
  mod_tls.c
  mod_lang.c

Still everyone should consider to patch their ProFTPD installations - obligatory if you use the mentioned module. The patch is available at:

https://github.com/proftpd/proftpd/pull/816
 
Hello,

As far as I can see the default installation does not either build ProFTPd with mod_copy or load it. So ProFTPd on DirectAdmin server can be considered not affected to the reported vulnerability.
 
Back
Top