SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remote attackers to execute arbitrary SQL commands via a "%" (percent) character in the username, which introduces a "'" (single quote) character during variable substitution by mod_sql.

This update has a large number of changes from previous Fedora packages; the highlights are as follows: - Update to upstream release 1.3.2a - Fix SQL injection vulnerability at login (#485125, CVE-2009-0542) - Fix SELinux compatibility (#498375) - Fix audit logging (#506735) - Fix default configuration (#509251) - Many new loadable modules including mod_ctrls_admin and mod_wrap2 - National Language Support (RFC 2640) - Enable/disable common features in /etc/sysconfig/proftpd

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

multiple vulnerabilities has been identified and fixed in proftpd :

ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser. (CVE-2008-4242)

SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remote attackers to execute arbitrary SQL commands via a '%' (percent) character in the username, which introduces a ''' (single quote) character during variable substitution by mod_sql.
(CVE-2009-0542)

ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypass SQL injection protection mechanisms via invalid, encoded multibyte characters, which are not properly handled in (1) mod_sql_mysql and (2) mod_sql_postgres. (CVE-2009-0543)

The updated packages have been upgraded to the latest proftpd version (1.3.2) to prevent this.

Secunia reports :

Some vulnerabilities have been reported in ProFTPD, which can be exploited by malicious people to conduct SQL injection attacks.

The application improperly sets the character encoding prior to performing SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code in an environment using a multi-byte character encoding.

An error exists in the 'mod_sql' module when processing e.g. user names containing '%' characters. This can be exploited to bypass input sanitation routines and manipulate SQL queries by injecting arbitrary SQL code.

The remote host is affected by the vulnerability described in GLSA-200903-27 (ProFTPD: Multiple vulnerabilities)

    The following vulnerabilities were reported:
    Percent characters in the username are not properly handled, which     introduces a single quote character during variable substitution by     mod_sql (CVE-2009-0542).
    Some invalid, encoded multibyte characters are not properly handled in     mod_sql_mysql and mod_sql_postgres when NLS support is enabled     (CVE-2009-0543).
  Impact :

    A remote attacker could send specially crafted requests to the server,     possibly resulting in the execution of arbitrary SQL statements.
  Workaround :

    There is no known workaround at this time.

The security update for proftpd-dfsg in DSA-1727-1 caused a regression with the postgresql backend. This update corrects the flaw. Also it was discovered that the oldstable distribution (etch) is not affected by the security issues. For reference the original advisory follows.

Two SQL injection vulnerabilities have been found in proftpd, a virtual-hosting FTP daemon. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2009-0542     Shino discovered that proftpd is prone to a SQL     injection vulnerability via the use of certain     characters in the username.

  - CVE-2009-0543     TJ Saunders discovered that proftpd is prone to a SQL     injection vulnerability due to insufficient escaping     mechanisms, when multybite character encodings are used.

The oldstable distribution (etch) is not affected by these problems.

Two SQL injection vulnerabilities have been found in proftpd, a virtual-hosting FTP daemon. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2009-0542     Shino discovered that proftpd is prone to a SQL     injection vulnerability via the use of certain     characters in the username.

  - CVE-2009-0543     TJ Saunders discovered that proftpd is prone to a SQL     injection vulnerability due to insufficient escaping     mechanisms, when multybite character encodings are used.

The remote host is using ProFTPD, a free FTP server for Unix and Linux.

The variable substitution feature in the version of ProFTPD running on the remote host can be abused to conduct a SQL injection attack. For example, a remote attacker can bypass authentication using a specially crafted username containing a percent sign character ('%'), a single quote, and SQL code.

The remote host is using ProFTPD, a free FTP server for Unix and Linux.  The version of ProFTPD running on the remote host allows the percent character, '%', within the username.  This would allow attackers to inject special SQL characters such as a single quote.  An attacker exploiting this flaw would be able to execute arbitrary SQL commands against the database server.

ID	Name	Product	Family	Severity
41609	Fedora 10 : proftpd-1.3.2a-5.fc10 (2009-9386)	Nessus	Fedora Local Security Checks	high
37354	Mandriva Linux Security Advisory : proftpd (MDVSA-2009:061)	Nessus	Mandriva Local Security Checks	high
35941	FreeBSD : proftpd -- multiple sql injection vulnerabilities (ca0841ff-1254-11de-a964-0030843d3802)	Nessus	FreeBSD Local Security Checks	high
35917	GLSA-200903-27 : ProFTPD: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
35755	Debian DSA-1730-1 : proftpd-dfsg - SQL injection vulnerabilites	Nessus	Debian Local Security Checks	high
35739	Debian DSA-1727-1 : proftpd-dfsg - SQL injection vulnerabilites	Nessus	Debian Local Security Checks	high
35690	ProFTPD Username Variable Substitution SQL Injection	Nessus	FTP	high
4930	ProFTPD Username Variable Substitution SQL Injection	Nessus Network Monitor	FTP Servers	high
801027	ProFTPD Username Variable Substitution SQL Injection	Log Correlation Engine	FTP Servers	high

Detections

Analytics

CVE-2009-0542

critical

Tenable Plugins

high

high

high

high

high

high

high

high

high