ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user.
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Proftpd | Proftpd | * | 1.3.5 (including) |
| Proftpd | Proftpd | 1.3.6 (including) | 1.3.6 (including) |
| Proftpd | Proftpd | 1.3.6-rc1 (including) | 1.3.6-rc1 (including) |
| Proftpd | Proftpd | 1.3.6-rc2 (including) | 1.3.6-rc2 (including) |
| Proftpd | Proftpd | 1.3.6-rc3 (including) | 1.3.6-rc3 (including) |
| Proftpd | Proftpd | 1.3.6-rc4 (including) | 1.3.6-rc4 (including) |
| Proftpd-dfsg | Ubuntu | artful | * |
| Proftpd-dfsg | Ubuntu | esm-apps/xenial | * |
| Proftpd-dfsg | Ubuntu | precise | * |
| Proftpd-dfsg | Ubuntu | trusty | * |
| Proftpd-dfsg | Ubuntu | upstream | * |
| Proftpd-dfsg | Ubuntu | xenial | * |
| Proftpd-dfsg | Ubuntu | yakkety | * |
| Proftpd-dfsg | Ubuntu | zesty | * |