[NOT i-MSCP RELATED] ProFTPD Unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy

I think you must wait for the fix is official or compile ProFTP from Github...

Quote from fulltilt

today I have found a copy of /etc/passwd in /tmp/passwd.copy
seems there is a bug in ProFTPD
http://bugs.proftpd.org/show_bug.cgi?id=4169
https://www.exploit-db.com/exploits/36742/

does anyone know how to fix or secure that?

Hi,
if I have understood correctly, it relates to the module "mod_copy".
When I run "proftpd -vv" there is no module "mod_copy" loaded. So I think, it is secure. What show "proftpd -vv on your server?

Greets
Chris

Hi,

on my server Debian Wheezy is the mod_copy under /usr/lib/proftpd but it is nowhere configured in any config file. Not in /etc/proftpd/proftpd.conf or in /etc/proftpd/modules.conf.

Do you have enabled it manually?

Greets
Chris

Quote from fulltilt

now I have disabled mod_copy in /etc/proftpd/modules.conf
# LoadModule mod_copy.c
no idea if it works ...

I think it works. I dont use this module and no customer have problems.

Greets
Chris

Quote from fulltilt

no, mod_copy was enabled by default

I take a look in the standard configs of Debian. In Wheezy and Jessie the module is enabled by default.
I have done an upgrade vom Squeeze to Wheezy and the modules.conf has not been touch. In Squeeze the module was not available, so this module isnt enabled on my server.

Greets
Chris