SQL injection vulnerability in ProFTPD closed
A recently discovered vulnerability in ProFTPD 1.3.1 already has an exploit. According to the Internet Storm Center, they have reports of first attempts to exploit the vulnerability to gain access to FTP servers.
The hole is a SQL injection vulnerability in mod_sql_mysql and mod_sql_postgres when used to provide user authentication data from a SQL database. It is possible that by crafting user names and passwords with invalidly encoded multi-byte characters, it is possible to bypass the string escaping methods and inject SQL code. This could allow an attacker to reveal user names or overwrite passwords. Installations which use the systems user data for authentication are unaffected by the issue, as there is no SQL server in use.
A fixed version, 1.3.2, is now available, as is a patch for version 1.3.1. Linux distributors are expected to also issued updated packages soon.
- Encoding-dependent SQL injection vulnerability, ProFTPD bug report with patch.