Reproduceable under Gentoo with Proftpd 1.3.1 - But not under debian
etch with Proftpd 1.3.0
The newst Proftpd in Gentoo is 1.3.2-rc2, but there seems to be an
Mysql-related patch in the build-file now. I also tested vanilla
1.3.2-rc4 and 1.3.2, with all three the sql-injection is not
reproduceabl
gat3...@gat3way.eu wrote:
> Hello,
>
> Just found out a problem with proftpd's sql authentication. The problem is
> easily reproducible if you login with username like:
>
> USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; --
>
> and a password of "1" (without quotes).
>
> w
, 2009 2:49:53 PM GMT -05:00 Colombia
Subject: Another SQL injection in ProFTPd with mod_mysql (probably postgres as
well)
Hello,
Just found out a problem with proftpd's sql authentication. The problem is
easily reproducible if you login with username like:
USER %') and 1=2 union sele
Looks like a very serious issue to me - it works on our ProFTPD
1.3.2rc2 Server (latest stable on gentoo).
220 ProFTPD 1.3.2rc2 Server (Pumpkin) [xx.xx.xx.xx]
USER %') and 1=2 union select
1,0x24312452565a583533784324716a304d4d6b4670426b4b486177644264756634392f,uid,gid,homedir,shell
from ftp #
331
Uh-oh, sorry, bad copy-paste..the user is just
%') and 1=2 union select 1,1,uid,gid,homedir,shell from users; --
not
USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; --
I am using debian packaged proftpd 1.3.1-16 if that matters.
Hi,
On Tue, 2009-02-10 at 19:49 +, gat3...@gat3way.eu wrote:
> Just found out a problem with proftpd's sql authentication. The problem is
> easily reproducible if you login with username like:
Could you please provide the version number which is affected by this?
Running ProFTPD Version: 1.3.
Hello,
Just found out a problem with proftpd's sql authentication. The problem is
easily reproducible if you login with username like:
USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; --
and a password of "1" (without quotes).
which leads to a successful login. Diff
