ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypass SQL injection protection mechanisms via invalid, encoded multibyte characters, which are not properly handled in (1) mod_sql_mysql and (2) mod_sql_postgres.

The remote host is using ProFTPD, a free FTP server for Unix and Linux.
According to its banner, the version of ProFTPD installed on the remote host is 1.3.1x and may be affected by SQL injection protection bypass when NLS support is enabled.

multiple vulnerabilities has been identified and fixed in proftpd :

ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser. (CVE-2008-4242)

SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remote attackers to execute arbitrary SQL commands via a '%' (percent) character in the username, which introduces a ''' (single quote) character during variable substitution by mod_sql.
(CVE-2009-0542)

ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypass SQL injection protection mechanisms via invalid, encoded multibyte characters, which are not properly handled in (1) mod_sql_mysql and (2) mod_sql_postgres. (CVE-2009-0543)

The updated packages have been upgraded to the latest proftpd version (1.3.2) to prevent this.

Secunia reports :

Some vulnerabilities have been reported in ProFTPD, which can be exploited by malicious people to conduct SQL injection attacks.

The application improperly sets the character encoding prior to performing SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code in an environment using a multi-byte character encoding.

An error exists in the 'mod_sql' module when processing e.g. user names containing '%' characters. This can be exploited to bypass input sanitation routines and manipulate SQL queries by injecting arbitrary SQL code.

The remote host is affected by the vulnerability described in GLSA-200903-27 (ProFTPD: Multiple vulnerabilities)

    The following vulnerabilities were reported:
    Percent characters in the username are not properly handled, which     introduces a single quote character during variable substitution by     mod_sql (CVE-2009-0542).
    Some invalid, encoded multibyte characters are not properly handled in     mod_sql_mysql and mod_sql_postgres when NLS support is enabled     (CVE-2009-0543).
  Impact :

    A remote attacker could send specially crafted requests to the server,     possibly resulting in the execution of arbitrary SQL statements.
  Workaround :

    There is no known workaround at this time.

The security update for proftpd-dfsg in DSA-1727-1 caused a regression with the postgresql backend. This update corrects the flaw. Also it was discovered that the oldstable distribution (etch) is not affected by the security issues. For reference the original advisory follows.

Two SQL injection vulnerabilities have been found in proftpd, a virtual-hosting FTP daemon. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2009-0542     Shino discovered that proftpd is prone to a SQL     injection vulnerability via the use of certain     characters in the username.

  - CVE-2009-0543     TJ Saunders discovered that proftpd is prone to a SQL     injection vulnerability due to insufficient escaping     mechanisms, when multybite character encodings are used.

The oldstable distribution (etch) is not affected by these problems.

Two SQL injection vulnerabilities have been found in proftpd, a virtual-hosting FTP daemon. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2009-0542     Shino discovered that proftpd is prone to a SQL     injection vulnerability via the use of certain     characters in the username.

  - CVE-2009-0543     TJ Saunders discovered that proftpd is prone to a SQL     injection vulnerability due to insufficient escaping     mechanisms, when multybite character encodings are used.

ID	Name	Product	Family	Severity
106750	ProFTPD 1.3.1 SQL injection protection bypass	Nessus	FTP	high
37354	Mandriva Linux Security Advisory : proftpd (MDVSA-2009:061)	Nessus	Mandriva Local Security Checks	high
35941	FreeBSD : proftpd -- multiple sql injection vulnerabilities (ca0841ff-1254-11de-a964-0030843d3802)	Nessus	FreeBSD Local Security Checks	high
35917	GLSA-200903-27 : ProFTPD: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
35755	Debian DSA-1730-1 : proftpd-dfsg - SQL injection vulnerabilites	Nessus	Debian Local Security Checks	high
35739	Debian DSA-1727-1 : proftpd-dfsg - SQL injection vulnerabilites	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2009-0543

critical

Tenable Plugins

high

high

high

high

high

high