Connect with us

Hi, what are you looking for?



ProFTPD Vulnerability Can Expose Servers to Attacks

A security hole affecting the free and open source ProFTPD file transfer protocol (FTP) server can be exploited to copy files to vulnerable servers and possibly execute arbitrary code.

A security hole affecting the free and open source ProFTPD file transfer protocol (FTP) server can be exploited to copy files to vulnerable servers and possibly execute arbitrary code.

ProFTPD is advertised as a “high-performance, extremely configurable, and most of all a secure FTP server.” ProFTPD is used by many projects and organizations, including SourceForge, Samba, and Linksys, and it’s available in many Linux and Unix distributions.

Germany-based researcher Tobias Mädel discovered that the software is affected by a vulnerability related to the mod_copy module, which implements commands for copying files and folders on the same server without the necessity to first transfer the data to the client. The module is enabled by default in most operating systems.ProFTPD vulnerability

Mädel told SecurityWeek that exploitation of the vulnerability requires access (at least anonymous access) to the targeted machine.

“Attacks could be made (for example) on Open Source mirror servers,” the researcher explained. “These have anonymous access enabled, often use ProFTPd and host a lot of binary files. A malicious actor would need to get his malicious file to this machine somehow (for example by distributing it at some unrelated project which is also mirrored on this server) and can then override any file on the mirror server with this (infected) version. This could be used to swap out .iso files or .exe installers where no strict validations (like GPG signatures on apt repositories) are in place.”

Another attack scenario described by the expert leverages auto-updaters. He discovered that Gajim, a popular open source XMPP client that used ProFTPD on its update server, allowed attackers to upload arbitrary files to the server and then execute PHP code, as well as replace their binaries. Gajim developers were privately notified of the issue and rolled out a fix.

A Shodan search for “ProFTPd Anonymous” (i.e., servers that allow anonymous access) shows over 28,000 potentially vulnerable servers, mostly in the United States (9,400), Germany (2,600), Japan (2,000), Russia (1,300) and France (1,200), but Mädel said an attacker would have to connect to each server and attempt to issue a command to see if it’s actually vulnerable.

The advisories published by Debian and SUSE say the flaw “allows for remote code execution and information disclosure without authentication.” However, Mädel told SecurityWeek that he considers remote code execution an edge case for this vulnerability as the targeted server would need to be configured in a certain way, not the typical configuration.

Advertisement. Scroll to continue reading.

“I’ve seen web servers using ProFTPd with PHP and anonymous access. In this scenario RCE is possible,” he explained.

Mädel said he reported his findings to ProFTPD developers in late September 2018, but they did not take any action until recently, when the researcher again stumbled upon the issue while working on a project and informed the Debian security team, which contacted the software’s developers.

A fix has been developed and backported to ProFTPD 1.3.6, a version announced in April 2017, but the patch has yet to be included in a new release.

The researcher pointed out that CVE-2019-12815 is technically very similar to an old vulnerability in ProFTPD, CVE-2015-3306, but the flaw discovered in 2015 was “much more dangerous.”

Related: Serious Vulnerabilities in Linux Kernel Allow Remote DoS Attacks

Related: Linux Kernel Privilege Escalation Vulnerability Found in RDS Over TCP

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.