Title: ProFTPd mod_copy - arbitrary file copy with improper access control
Release Date: 2019-07-18
Tobias Mädel has identified a vulnerability in ProFTPd's mod_copy. mod_copy is supplied in the default installation of ProFTPd and is enabled by default in most distributions (e.g. Debian).
1: CVE-2019-12815: mod_copy Incorrect Access Control
Issueing CPFR, CPTO commands to a ProFTPd server allows users without write permissions to copy any file on the FTP server.
Workaround #1: Disable mod_copy in the ProFTPd configuration file.
ProFTPd Bugtracker: http://bugs.proftpd.org/show_bug.cgi?id=4372
- 28.09.2018 Reported to ProFTPd security@, ProFTPd asking for clarifications
- 12.06.2019 Reported to Debian Security Team, replies by Moritz & Salvatore
- 28.06.2019 Deadline for public disclosure on 28.07.2019 announced
- 17.07.2019 Fix published by ProFTPd
Update 23.07.2019: Contrary to news reports, ProFTPd 1.3.6 is also affected and does not contain the fix.
ProFTPd 1.3.6a contains the fix.
Thanks to Salvatore Bonaccorso and Moritz Mühlenhoff from the Debian Security Team
Thanks to TJ from ProFTPd for fixing the issue