PostgreSQL Authentication Module (mod_sql) for ProFTPD USER Name Parameter SQL Injection

high Nessus Plugin ID 11768

Language:

Synopsis

It may be possible to read or modify arbitrary files on the remote server.

Description

The remote FTP server is vulnerable to a SQL injection when it processes the USER command.

An attacker may exploit this flaw to log into the remote host as any user.

Solution

If the remote server is ProFTPd, upgrade to ProFTPD 1.2.10.

Plugin Details

Severity: High

ID: 11768

File Name: proftpd_pgsql_insertion.nasl

Version: 1.21

Type: remote

Family: FTP

Published: 6/19/2003

Updated: 7/25/2018

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:proftpd:proftpd

Required KB Items: ftp/proftpd

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 6/18/2003

Reference Information

CVE: CVE-2003-0500

BID: 7974