Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

ProFTPD Username Variable Substitution SQL Injection

High

Synopsis

The remote host is vulnerable to a SQL Injection attack.

Description

The remote host is using ProFTPD, a free FTP server for Unix and Linux. The version of ProFTPD running on the remote host allows the percent character, '%', within the username. This would allow attackers to inject special SQL characters such as a single quote. An attacker exploiting this flaw would be able to execute arbitrary SQL commands against the database server.

Solution

Upgrade to version 1.3.2rc3 or higher.