PostgreSQL Authentication Module (mod_sql) for ProFTPD USER Name Parameter SQL Injection

High Nessus Plugin ID 11768


It may be possible to read or modify arbitrary files on the remote server.


The remote FTP server is vulnerable to a SQL injection when it processes the USER command.

An attacker may exploit this flaw to log into the remote host as any user.


If the remote server is ProFTPd, upgrade to ProFTPD 1.2.10.

Plugin Details

Severity: High

ID: 11768

File Name: proftpd_pgsql_insertion.nasl

Version: $Revision: 1.20 $

Type: remote

Family: FTP

Published: 2003/06/19

Modified: 2011/12/05

Dependencies: 10092

Risk Information

Risk Factor: High


Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:proftpd:proftpd

Required KB Items: ftp/proftpd

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2003/06/18

Reference Information

CVE: CVE-2003-0500

BID: 7974

OSVDB: 9507