icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

ProFTPD Username Variable Substitution SQL Injection

High

Synopsis

The remote host is vulnerable to a SQL Injection attack.

Description

The remote host is using ProFTPD, a free FTP server for Unix and Linux. The version of ProFTPD running on the remote host allows the percent character, '%', within the username. This would allow attackers to inject special SQL characters such as a single quote. An attacker exploiting this flaw would be able to execute arbitrary SQL commands against the database server.

Solution

Upgrade to version 1.3.2rc3 or higher.