In association with heise online

12 February 2009, 10:47

SQL injection vulnerability in ProFTPD closed

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A recently discovered vulnerability in ProFTPD 1.3.1 already has an exploit. According to the Internet Storm Center, they have reports of first attempts to exploit the vulnerability to gain access to FTP servers.

The hole is a SQL injection vulnerability in mod_sql_mysql and mod_sql_postgres when used to provide user authentication data from a SQL database. It is possible that by crafting user names and passwords with invalidly encoded multi-byte characters, it is possible to bypass the string escaping methods and inject SQL code. This could allow an attacker to reveal user names or overwrite passwords. Installations which use the systems user data for authentication are unaffected by the issue, as there is no SQL server in use.

A fixed version, 1.3.2, is now available, as is a patch for version 1.3.1. Linux distributors are expected to also issued updated packages soon.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit