A potential remote code execution vulnerability has been discovered in the popular GPL-licensed FTP server ProFTPD
ProFTPD is running on over a million servers exposed to the internet. It is included in several Linux distros including Debian, Suse and Ubuntu.
The flaw, tracked under CVE-2019-12815 lives in the mod_copy module. The flaw allows an unauthenticated user to copy any file on the FTP server into any location. This could be leveraged to place a malicious file into a location where it is then executed on the server to achieve a remote code execution.
More details, including a simple proof of concept, are included in the ProFTPD project’s bug tracker.
A patched version of the software is not yet available, so in order to mitigate this vulnerability system administrators only option is to disable the mod_copy module in the ProFTPD configuration file.