Debian DSA-338-1 : proftpd - SQL injection

critical Nessus Plugin ID 15175

Synopsis

The remote Debian host is missing a security-related update.

Description

runlevel [[email protected]] reported that ProFTPD's PostgreSQL authentication module is vulnerable to a SQL injection attack. This vulnerability could be exploited by a remote, unauthenticated attacker to execute arbitrary SQL statements, potentially exposing the passwords of other users, or to connect to ProFTPD as an arbitrary user without supplying the correct password.

Solution

For the stable distribution (woody) this problem has been fixed in version 1.2.4+1.2.5rc1-5woody2.

We recommend that you update your proftpd package.

See Also

http://www.debian.org/security/2003/dsa-338

Plugin Details

Severity: Critical

ID: 15175

File Name: debian_DSA-338.nasl

Version: 1.21

Type: local

Agent: unix

Published: 9/29/2004

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:proftpd, cpe:/o:debian:debian_linux:3.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/29/2003

Reference Information

CVE: CVE-2003-0500

BID: 7974

DSA: 338