A German security researcher has off lately publicly disclosed the details of the most serious vulnerability in one of the most known FTP Server applications that are currently being used by over one million servers worldwide. The vulnerable software in question is the ProFTPD, which is an open-source FTP Server and has been used by a large number of popular businesses and websites that includes SourceForge, Samba and Slackware, and comes pre-installed with many Linux and UNIX distributions such as Debian.
Having been discovered by Tobias Mädel, the vulnerability resides in the mod_copy module of the ProFTPD application, which is a component that allows the users to copy files and / or directories from one place to another on a server without the need to transfer the data to the client and back. As per Mädel, an incorrect access control issue in the mod_copy module could be exploited by an authenticated user to unauthorized copy any file on a specific location of the vulnerable FTP Server where the user is otherwise not allowed to write a file no matter what. In rare circumstances, the flaw could also lead to remote code execution or information disclosure attacks.
A security researcher at Trend Micro, John Simpson, has told that to successfully achieve remote code execution on a targeted server, an attacker is required to copy a malicious PHP file to a location where it can be executed. As a result, it becomes important to note that not every FTP Server running the vulnerable ProFTPD can be hijacked remotely since the matter of fact is that the attacker requires log-in to the respective targeted server, or the server should have anonymous access enabled.
Image Source: www.thehackernews.com
The vulnerability has been assigned as the CVE-2019-12815 and affects all versions of ProFTPD, including the latest 1.3.6 version that was released back in the year 2017. Since the mod_copy module comes enabled by default in most of the operating systems using ProFTPD, the flaw could potentially affect a large number of servers. As per an advisory, the newly discovered flaw is related to a 4-year-old similar vulnerability, CVE-2015-3306, in the mod_copy module that allows the remote attackers to read and write to arbitrary files through the site CPFR and site CPTO commands.
Mädel has reported the vulnerability to ProFTPD project maintainers in September last year, but the team did not take any action to address the issue for more than 9 months now. As a result, the researcher contacted the Debian Security Team last month, after which the ProFTPD team finally created a patch and just last week backported it to ProFTPD 1.3.6 without releasing a new version of its FTP Server. Considering the workaround, server administrators can also disable the mod_copy module in the ProFTPD configuration file in order to protect themselves from being a victim of an attack related to this flaw.
Source: The Hacker News
Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation with the reliance on or usage of any content, goods or services mentioned in this article.