Steffen Joeris
2009-Feb-21 05:21 UTC
[Secure-testing-team] Bug#516388: proftpd: Several SQL injection vulnerabilities
Package: proftpd
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for proftpd.
CVE-2009-0543[0]:
| ProFTPD Server 1.3.1, with NLS support enabled, allows remote
| attackers to bypass SQL injection protection mechanisms via invalid,
| encoded multibyte characters, which are not properly handled in (1)
| mod_sql_mysql and (2) mod_sql_postgres.
CVE-2009-0542[1]:
| SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2
| allows remote attackers to execute arbitrary SQL commands via a "%"
| (percent) character in the username, which introduces a "''"
(single
| quote) character during variable substitution by mod_sql.
The postgresql part should still be vulnerable as discussed via
previous mail. The second issue seems to be still unaddressed. It needs
to be investigated, whether upstream''s fix is complete, since it
doesn''t
seem to use the usual escaping functions.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0543
http://security-tracker.debian.net/tracker/CVE-2009-0543
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0542
http://security-tracker.debian.net/tracker/CVE-2009-0542