Some on my Debian Server, is not enabled. Not in /etc/proftpd/modules.conf not anywhere. Thx Backdraft007 for looking at that.
[NOT i-MSCP RELATED] ProFTPD Unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy
-
- solved
- fulltilt
- Closed
- Thread is marked as Resolved.
-
-
What's possible with this exploit and imscp? As I understood the attacker can just copy files to the /tmp-directory, because he has no other permissions to access for example folders like webpages (if he has no ftp account)...
Am I right?PS: I also had a /tmp/passwd.copy
PS²: For debian wheezy there's still no update, so I've deactivated the affected module and restarted the service -
-
-
Yes since wheezy it's enabled per default. But not if you upgraded from squeeze to wheezy/jessie. In Jessie proftpd is already fixed, for wheezy there's atm no patch.
-
-
The question is: Does this module is activated by default in Debian? If yes and if this is really a security for us, I can disable it through the installer.
Yes,
I wrote it here: [NOT i-MSCP RELATED] ProFTPD Unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy a few posts above.
Greets
Chris -
I'll fix that so for 1.2.3 version
Thanks
-
-
-
Update for debian wheezy exists now. I'll test if exploit is fixed and then report
Update: as I can see bug should be fixed
-
-
-
Np. For all who are interested in testing out their servers. You can use following python script:
https://github.com/nootropics/propane/blob/master/propane.py -