potentially could affect over one million servers.
The vulnerable software in question is ProFTPD, an open source FTP server that is being used by a large number of popular businesses and websites including SourceForge, Samba and Slackware, and comes pre-installed with many Linux and Unix distributions, like Debian.
Discovered by Tobias Mädel, the vulnerability resides in the mod_copy module of the ProFTPD application, a component that allows users to copy files/directories from one place to another on a server without having to transfer the data to the client and back.
According to Mädel, an incorrect access control issue in the mod_copy module could be exploited to unauthorizedly copy any file on the FTP server, potentially leading to remote code execution and information disclosure attacks.
The vulnerability, assigned as CVE-2019-12815, affects all versions of ProFTPd, including the latest 1.3.6 version which was released in 2017.
Since the mod_copy module comes enabled by default in most operating systems using ProFTPD, the flaw could potentially affect a large number of servers exposed on the Internet, as shown by a report from Shodan search engine.
According to an advisory, the newly discovered issue is related to a 4-year-old similar vulnerability (CVE-2015-3306) in the mod_copy module that allows remote attackers to read and write to arbitrary files via the site CPFR and site CPTO commands.
However, the researcher pointed out that the 2015 flaw was "much more dangerous" than the new one.
Mädel reported the vulnerability to ProFTPd project maintainers in September last year, but the team did not take any action to address the issue for more than 9 months.
So, the researcher contacted the Debian Security Team last month, after which the ProFTPD team finally created a patch and just last week backported it to ProFTPD 1.3.6 without releasing a new version of its FTP server.
As a workaround, server administrators can also disable the mod_copy module in the ProFTPd configuration file in order to protect themselves from being a victim of any attack related to this flaw.
It should be noted that GEN do not have mod_copy.c enabled in any production internet facing server so we are not affected by this flaw.