/*
* Private .. ... distribute
*
* proftpd-1.2.0 remote root exploit (beta2)
* (Still need some code, but it works fine)
*
* Offset: Linux Redhat 6.0
* 0 -> proftpd-1.2.0pre1
* 0 -> proftpd-1.2.0pre2
* 0 -> proftpd-1.2.0pre3
* (If this dont work, try cha
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
/*
* babcia padlina ltd. (poland, 17/08/99)
*
* your ultimate proftpd pre0-3 exploiting toolkit
*
* based on:
* - adm-wuftpd by duke
* - kombajn do czereśni by Lam3rZ (thx for shellcode!)
*
* thx and greetz.
*/
#include
Here goes the fix.
dumped
Sekure SDI
On Fri, 27 Aug 1999 [EMAIL PROTECTED] wrote:
--- proftpd-1.2.0pre2.orig/modules/mod_xfer.c Sun Aug 29 11:17:42 1999
+++ proftpd-1.2.0pre2/modules/mod_xfer.cSun Aug 29 11:22:24 1999
@@ -28,6 +28,11 @@
* _translate_ascii was returning a
Hi!
If you want to disable this fast on your ProFTPD,
just add:
PathAllowFilter ".*/[A-Za-z0-9]+-$"
Greetz.
--
Krzysztof Anton, <[EMAIL PROTECTED]>
http://www.powernet.pl/~kloss
GSM/SMS: +48-601-276972
IRC: Mr_Kloss
"In Cyberspace No One Can Hear Your Scream..."
d sizeof(p->value.str_val)
gives you sizeof(char *).
To address the bug exploited by the published exploit, apply the following
patch, or upgrade to proftpd 1.2.0pre4 (which includes this fix),
available from ftp.tos.net:/pub/proftpd/
--- proftpd-1.2.0pre3a/src/log.c.orig Mon Aug 30 12:28:5
t fix the problem, here. Attached is one that
did.
There's a couple other places in ProFTPd which strike me as, if not
insecure, at least insufficiently paranoid; I'll pass along a patch for
those to proftpd-l later.
Dan
/\ /
Hi,
Note that user takes the value "user@host" given at password prompt
for anonymous access (forgetting any potential dns attacks into remhost)
This allows anyone to smash the stack just with an anonymous access
and a file to download.
(see last published exploits.)
Regards,
Pascal
On Mon, Aug
Just a quick note to folks -- I've released ProFTPD 1.2.0pre5. This release
should *CORRECTLY* address the security issues pointed out earlier. Some
release notes:
1) There's been a decent security review of the code. I won't claim that
there are no holes, but we've gone t
A member of the proftpd mailing list and myself discovered a problem
with proftpd with mod_sqlpw.c optional module compiled in.
Unix last command reveals passwords where the username should be.
A patch was sent to the mailing list, however, the patch only protects
ftp localhost not ftp
Hi,
It is not stated on the site yet, but on the ProFTPD mailinglist version
1.2.0pre4 was announced, which fixes the bug that was mailed to Bugtraq
this weekend.
>
Until then, I'm announcing ProFTPD 1.2.0pre4 -- this fixes the bug
announced on BUGTRAQ, as well as addresses (hopefu
...has been released.
http://www.proftpd.org
or
ftp://ftp.tos.net/pub/proftpd
really have no clue if there are exploits possible for the other issues
that might allow breakins; please keep up to date and upgrade as soon as
the new version is available).
Anyhow, here's the patch:
--- proftpd-1.2.0pre6.old/src/main.cFri Sep 10 15:49:32 1999
+++ proftpd-1.2.0pre6/src/m
Hello,
proftpd is vulnerable to denial of service similar to the list
*/../*/../*/../*.
#!/bin/sh
#
# proftpd <=1.2.7rc3 DoS - Requires anonymous/ftp login at least
# might work against many other FTP daemons
# consumes nearly all memory and alot of CPU
#
# tested against slackware 8.1 - prof
Malicious User <[EMAIL PROTECTED]> writes:
> knock it around. I suspect this version will still fail on FreeBSD
> (anyone care to offer up an account for me on a FreeBSD system to test
Instead of using snprintf() you can you sprintf() and change the
"%s" formats to (e.g.) "$%.30s" - somewhat m
Werner Koch <[EMAIL PROTECTED]> writes:
Malicious User <[EMAIL PROTECTED]> writes:
> knock it around. I suspect this version will still fail on FreeBSD
> (anyone care to offer up an account for me on a FreeBSD system to test
Instead of using snprintf() you can you sprintf() and ch
> In addition, it is worth noting that snprintf() as specified by the
> C9x draft has return value semantics different from those commonly
> found. As a result, calls to snprintf() where the return value is
> checked should be scrutinized, since this change could presumably pose
> a security risk
>Yes, people should be really careful about this.
>
>- The 4.4 BSD snprintf routines were mostly right before, and now
> they are even better. I can only speak for OpenBSD.
Which snprintf() function originally returned "n" where n was at most
"size - 1"? That was the original specification (bu
Please trust me. it's still not secure.
Exploit in a few days.
-Tymm
On Wed, 15 Sep 1999, Albert C. Uy wrote:
> ...has been released.
>
> http://www.proftpd.org
>
> or
>
> ftp://ftp.tos.net/pub/proftpd
>
-BEGIN PGP SIGNED MESSAGE-
__
SuSE Security Announcement
Package: proftpd-1.2.0pre6 and earlier
Date: Thu Sep 16 20:59:18 CEST 1999
Affected: all UNIX
Tested on Linux with standard RedHat 6.0 install (w/glibc 2.0
compatability), proftpd installed with configure/make/make install...
- ftp to host
- login (anonymous or no)
(this should be all on one line, no spaces)
ftp> ls aaa%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u
%u%u%
===
Summary
===
Three issues with the ProFTPD FTP server have been reported to BUGTRAQ in
the past month. These issues have been addressed by the ProFTPD core team.
The following vulnerabilities are addressed in this advisory:
1. "SIZE memory leak"
http://www.securit
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mandrake Linux Security Update Advisory
Package name: proftpd
Date
/
___
Package : proftpd
Date: April 5, 2013
Affected: Business Server 1.0, Enterprise Server 5.0
___
Problem Description:
A vulnerability has been found and corrected in proftpd:
ProFTPD before 1.3.5rc1
/
___
Package : proftpd
Date: October 3, 2013
Affected: Business Server 1.0, Enterprise Server 5.0
___
Problem Description:
A vulnerability has been discovered and corrected in proftpd:
Integer overflow in
/
___
Package : proftpd
Date: March 18, 2011
Affected: 2010.0, 2010.1
___
Problem Description:
A vulnerability was discovered and corrected in proftpd:
Integer overflow in the mod_sftp (aka SFTP) module in ProFTPD
/
___
Package : proftpd
Date: December 7, 2011
Affected: 2010.1, 2011., Enterprise Server 5.0
___
Problem Description:
A vulnerability was discovered and fixed in proftpd:
Use-after-free vulnerability in the Response
/
___
Package : proftpd
Date: November 11, 2010
Affected: 2009.0, 2009.1, 2010.0, 2010.1, Corporate 4.0,
Enterprise Server 5.0
___
Problem Description:
Multiple vulnerabilities were discovered and corrected in
/
___
Package : proftpd
Date: February 8, 2011
Affected: 2009.0, 2010.0, 2010.1, Enterprise Server 5.0
___
Problem Description:
A vulnerability has been found and corrected in proftpd:
Heap-based buffer overflow in the
/
___
Package : proftpd
Date: October 23, 2009
Affected: 2009.0, 2009.1, Corporate 3.0, Corporate 4.0,
Enterprise Server 5.0
___
Problem Description:
A vulnerability has been identified and corrected in
/
___
Package : proftpd
Date: December 22, 2009
Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0,
Enterprise Server 5.0
___
Problem Description:
A vulnerability has been identified and corrected in
to earlier versions without too much trouble.
Regards,
Nic.
-- Nic Bellamy <[EMAIL PROTECTED]>
J. Random Coder.
--- proftpd-1.2.0pre3a/src/log.c.orig Mon Aug 30 12:28:53 1999
+++ proftpd-1.2.0pre3a/src/log.cMon Aug 30 12:29:05 1999
@@ -111,7 +111,7 @@
if(xferfd
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Linux-Mandrake Security Update Advisory
Package name: proftpd
Date
Hi
Trustix has made available security updates for Trustix secure linux.
kernel:
Trustix specific: no
Distribution versions: All
A race condition in ptrace allows a malicious user to gain root. A
signedness error in the sysctl interface also potentially allows a user
to gain root.
proftpd
ProFTPD Bug ID: 1066
(http://bugs.proftpd.org/show_bug.cgi?id=1066)
Versions affected:
ProFTPD 1.2.1 is vulnerable. Earlier versions are also believed to be
affected.
Problem commands:
Problem commands include:
ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
ls
This is so old I can't even find any postings/articles I remember making on
it. Here is one link from early last year:
http://lwn.net/2001/0322/a/proftpd-dos.php3
Check the documentation:
DenyFilter \*.*/
Problem solved.
People should search Google before posting, it's far less e
Hello,
1. I know that the workaround with the DenyFilter works.
2. Proftpd by default doesn't have this filter set, neither has the
default proftpd install on slackware 8.1
3. The methods mentioned on the page you refer to do not work on later
proftpd versions (tested on 1.2.7rc3) be
> Hello,
>
> 1. I know that the workaround with the DenyFilter works.
Actually it turns out there is no need for DenyFilter.
> 2. Proftpd by default doesn't have this filter set, neither has the
>default proftpd install on slackware 8.1
In any event this is immaterial a
On Mon, 30 Aug 1999, Nic Bellamy wrote:
> tracked this problem to an sprintf() into a buffer on the stack
> in the log_xfer() routine in src/log.c. Gotta love it. Sigh.
What's interesting to note is that I notified the contact at ProFTPd of
this exact overflow back during th
Jordan Ritter wrote:
>
> On Mon, 30 Aug 1999, Nic Bellamy wrote:
>
> > tracked this problem to an sprintf() into a buffer on the stack
> > in the log_xfer() routine in src/log.c. Gotta love it. Sigh.
>
> What's interesting to note is that I notified the co
Hello,
I've seen some discussion about the possibility of exploit the newest
proftpd vulnerability without having the permission to write (STOR). Here
is the proof. Unlikely the last published exploit, this one does not have
tricks like buggy NOP code or something (to avoid script ki
Another examples of bad coding in ftp daemons, proftpd-1.2.0rc2 in this case.
main.c:659:
void main_exit(void *pv, void *lv, void *ev, void *dummy)
{
int pri = (int) pv;
char *log = (char *) lv;
int exitcode = (int) ev;
log_pri(pri, log); /* here */
main_exit() is called by
also sprach Joe Dollard <[EMAIL PROTECTED]> [2002.03.25.2114 +0100]:
> The version of proftp that is in debian potato (1.2.0pre10 as
> reported by running 'proftpd -v ') is vulnerable to a glob DoS
> attack, as discovered on the 15th March 2001. You ca
Name: ProFTPD mod_tls pre-authentication buffer overflow
Vendor: http://www.proftpd.org
Release date: 28 Nov, 2006
Author: Evgeny Legerov <[EMAIL PROTECTED]>
I. DESCRIPTION
A remote buffer overflow vulnerability has been found in mod_tls module of
ProFTPD serve
\n[+] ./exploit.pl ftp.target.net
\n\n" ; exit();}
$host = $ARGV[0];
system("cls") ;
print
"------\n".
"[+] ProFTPd with mod_mysql Authentication Bypass
Exploit \n".
/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: ProFTPD: Multiple vulnerabilities
Date: March 12, 2009
Bugs: #258450
ID: 200903-27
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
Two
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[slackware-security] proftpd (SSA:2020-051-01)
New proftpd packages are available for Slackware 14.0, 14.1, 14.2, and -current
to fix a security issue.
Here are the details from the Slackware 14.2 ChangeLog:
+--+
patches
/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: ProFTPD: Local privilege escalation
Date: February 13, 2007
Bugs: #158122
ID: 200702-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
A flaw
2006-11-16
Package: proftpd
Vulnerability:denial of service
OpenPKG Specific: no
Affected Series: Affected Packages: Corrected Packages:
E1.0-SOLID<= proftpd-1.
Hi
Can i get this straight, vendor was notified on the 16th of November,
but this vulnerability has been part of VulnDisco since Jan 2006? Is
that actually correct? This was known about ten months ago but not
disclosed until now?
Mark
[EMAIL PROTECTED] wrote:
Name: ProFTPD
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Core Security Technologies - Corelabs Advisory
http://www.coresecurity.com/corelabs/
ProFTPD Controls Buffer Overflow
Date Published: 2006-12-13
Last Update: 2006-12-12
Advisory ID: CORE-2006-1127
-15
Issue Revision: 07
Subject Name:ProFTPD
Subject Summary: Professional FTP Daemon
Subject Home:http://www.proftpd.org/
Subject Versions:* < 1.3.1rc1
Vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[slackware-security] proftpd (SSA:2015-111-12)
New proftpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,
and -current to fix a security issue.
Here are the details from the Slackware 14.1 ChangeLog
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[slackware-security] proftpd (SSA:2017-112-03)
New proftpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,
14.2, and -current to fix security issues.
Here are the details from the Slackware 14.2 ChangeLog
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[slackware-security] proftpd (SSA:2012-041-04)
New proftpd packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0,
13.1, 13.37, and -current to fix security issues.
Here are the details from the Slackware 13.37 ChangeLog
http://www.debian.org/security/faq
- -
Package: proftpd-dfsg
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2008-7265 CVE-2010-3867 CVE-2010-4652
Several
https://www.debian.org/security/faq
- -
Package: proftpd-dfsg
CVE ID : CVE-2019-12815
Debian Bug : 932453
Tobias Maedel discovered that the mod_copy module of ProFTPD, a
FTP/SFTP/FTPS server
https://www.debian.org/security/faq
- -
Package: proftpd-dfsg
CVE ID : CVE-2019-18217
Debian Bug : 942831
Stephan Zeisberg discovered that missing input validation in ProFTPD, a
FTP/SFTP/FTPS
-BEGIN PGP SIGNED MESSAGE-
- -
Red Hat, Inc. Security Advisory
Synopsis: Buffer overflow in proftpd
Advisory ID:RHSA-1999:034-01
Issue date: 1999-08-31
Keywords
-
The proftpd version that was distributed in Debian GNU/Linux 2.1
had several buffer overruns that could be exploited by remote
attackers. A short list of problems:
* user input was used in snprintf() without sufficient checks
* there was an
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --
PACKAGE : proftpd
SUMMARY : Denial of Service
DATE
dear bugtraq'ers,
i must confess that the information i provided wrt the acclaimed DoS
exploit in Debian potato's proftpd package (1.2.0pre10-2.0potato1) was
not fully accurate. the package *does in fact contain a buggy daemon*
despite having been fixed, according to the changelog:
At 03:40 PM 3/29/2002, martin f krafft wrote:
> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
...
> DenyFilter \*.*/
Just as a quick question, why not deny the string "/../" (you may have to
deny the regex "/\.\./", depending how the filter in question works)?
As far as
/
___
Package : proftpd
Date: November 20, 2006
Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0
___
Problem Description:
As disclosed by an exploit (vd_proftpd.pm) and a related vendor bugfix,
a Denial of
;s sreplace() function to allow a remote
attacker to execute arbitrary code.
This vulnerabillity, identified as CVE-2006-5815[3], is believed to affect
all versions of ProFTPD up to and including 1.3.0, but exploitability has
only been demonstrated with version 1.3.0rc3. The demonstrated exploit
reli
http://www.debian.org/security/faq
- -
Package: proftpd-dfsg
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE ID : CVE-2013-4359
Debian Bug : 723179
Kingcope
http://www.debian.org/security/faq
- -
Package: proftpd-dfsg
CVE ID : CVE-2015-3306
Debian Bug : 782781
Vadim Melihow discovered that in proftpd-dfsg, an FTP server, the
mod_copy module
Advanced Information Security Corporation
===
Date: 22/11/2015
Credit: Nicholas Lemonias
.:: PROFTPD v1.3.5a HEAP OVERFLOWS
http://www.debian.org/security/faq
- -
Package: proftpd-dfsg
Vulnerability : symlink race
Problem type : local
Debian-specific: no
CVE ID : CVE-2012-6095
Debian Bug : 697524
It has been
http://www.debian.org/security/faq
- -
Package: proftpd-dfsg
Vulnerability : integer overflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-1137
It was discovered that an integer
http://www.debian.org/security/faq
- -
Package: proftpd-dfsg
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-4130
Debian Bug : 648373
Several
http://www.debian.org/security/faq
- -
Package: proftpd-dfsg
Vulnerability : several
Problem type : remote
Debian-specific: no
Debian Bug : 648922
The ProFTPD security update, DSA-2346-1, introduced
-
Package: proftpd
Vulnerability: remote DOS & potential buffer overflow
Debian-specific: no
The following problems have been reported for the version of proftpd in
Debian 2.2 (potato):
1. There is a memory leak in the SIZE com
/
___
Package : proftpd
Date: January 23, 2007
Affected: Corporate 3.0
___
Problem Description:
A stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0
and earlier, allows remote attackers to cause a
#!/usr/bin/perl -w
# Local Exploit
#
# [ Exploitation condition ]
# - proftpd must be compiled with --enable-ctrls option
# - local user needs permission to connect through unix socket (from
proftpd.conf)
#
# This one works for 2.6 exploitation against gcc 4.x
# Payload will bind /bin/sh
ww.mandriva.com/security/
> ___
>
> Package : proftpd
> Date: November 20, 2006
> Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0
> ___
>
> Problem Description:
>
> As
/
___
Package : proftpd
Date: November 30, 2006
Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0
___
Problem Description:
A stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0
and earlier
/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: ProFTPD: Remote execution of arbitrary code
Date: November 30, 2006
Bugs: #154650
ID: 200611-26
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
/
___
Package : proftpd
Date: December 18, 2006
Affected: 2007.0
___
Problem Description:
Stack-based buffer overflow in the pr_ctrls_recv_request function in
ctrls.c in the mod_ctrls module in ProFTPD before
Hi there!
See my blog post about the mentioned vulnerability.
http://kingcope.wordpress.com/2013/09/11/proftpd-mod_sftpmod_sftp_pam-invalid-pool-allocation-in-kbdint-authentication/
Cheers,
Kingcope
Advanced Information Security Corporation
===
Date: 22/11/2015
Credit: Nicholas Lemonias
.::PROFTPD v1.3.5a HEAP OVERFLOWS ::.
ADVANCED INFORMATION SECURITY CORPORATION
-
Package: proftpd
Vulnerability : remote DOS & potential buffer overflow
Debian-specific: no
In Debian Security Advisory DSA 029-1 we have reported several
vulnerabilities in proftpd that have been fixed.
n 19 Feb 2007 19:43:41 -, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
#!/usr/bin/perl -w
# Local Exploit
#
# [ Exploitation condition ]
# - proftpd must be compiled with --enable-ctrls option
# - local user needs permission to connect through unix socket (from
proftpd.conf)
#
#
Hmm, anyone know if the release candidates on proftpd.org are vulnerable
to this?
Mark**
[EMAIL PROTECTED] wrote:
#!/usr/bin/perl -w
# Local Exploit
#
# [ Exploitation condition ]
# - proftpd must be compiled with --enable-ctrls option
# - local user needs permission to connect through
At least next time that you stole code from other people be sure to change
usage sub too you l33t h4x0r
http://www.0xcafebabe.it/sploits/revenge_proftpd_ctrls_26.pl
http://www.0xcafebabe.it/sploits/revenge_proftpd_ctrls_24.pl
-Revenge
/
___
Package : proftpd
Date: June 20, 2007
Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0
___
Problem Description:
The Auth API in ProFTPD, when multiple simultaneous authentication
modules are configured
http://www.debian.org/security/faq
- --
Package: proftpd
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2006-5815 CVE-2006-6170 CVE-2006-6171
Debian Bug
http://www.debian.org/security/faq
- --
Package: proftpd
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2006-5815 CVE-2006-6170 CVE-2006-6171
Debian Bug
http://www.debian.org/security/faq
- --
Package: proftpd
Vulnerability : programming error
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2006-5815
Debian Bug : 399070
It was
http://www.debian.org/security/faq
- --
Package: proftpd
Vulnerability : programming error
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2005-4816
Debian Bug : 404751
Martin Loewer
Hello,
Just found out a problem with proftpd's sql authentication. The problem is
easily reproducible if you login with username like:
USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; --
and a password of "1" (without quotes).
which leads to a successful login. Diff
-- Forwarded message --
Date: Sun, 05 Sep 1999 02:08:29 +0200 (CEST)
From: Renaud Deraison <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [linux-security] buffer overflow in proftpd-1.2.0pre4,
supposed to be 'safe'
Resent-Date: Sun, 05 Sep 1999 06:16:54 +
Hello Bugtraq:
Not so much time ago a ProFTPd remote vulnerability was released:
" ProFTPd has memory leakage bug when it executes the SIZE FTP command. By
calling the FTP command SIZE 5000 times it possible to cause ProFTPd to
consume over 300kB of memory. Exploiting thi
Hi,
On Tue, 2009-02-10 at 19:49 +, gat3...@gat3way.eu wrote:
> Just found out a problem with proftpd's sql authentication. The problem is
> easily reproducible if you login with username like:
Could you please provide the version number which is affected by this?
Running ProF
Looks like a very serious issue to me - it works on our ProFTPD
1.3.2rc2 Server (latest stable on gentoo).
220 ProFTPD 1.3.2rc2 Server (Pumpkin) [xx.xx.xx.xx]
USER %') and 1=2 union select
1,0x24312452565a583533784324716a304d4d6b4670426b4b486177644264756634392f,uid,gid,homedir,shell
fro
, 2009 2:49:53 PM GMT -05:00 Colombia
Subject: Another SQL injection in ProFTPd with mod_mysql (probably postgres as
well)
Hello,
Just found out a problem with proftpd's sql authentication. The problem is
easily reproducible if you login with username like:
USER %') and 1=2 union sele
andling of the "%" character (probably
> that's some way to sanitize input to avoid format string things?).
>
> Anyway, %' effectively makes the single quote unescaped and that eventually
> allows for an SQL injection during login.
Tested also on Debian Etch ProFTPD 1.3.0
Does not work.
E
Reproduceable under Gentoo with Proftpd 1.3.1 - But not under debian
etch with Proftpd 1.3.0
The newst Proftpd in Gentoo is 1.3.2-rc2, but there seems to be an
Mysql-related patch in the build-file now. I also tested vanilla
1.3.2-rc4 and 1.3.2, with all three the sql-injection is not
http://www.debian.org/security/faq
- --
Package: proftpd-dfsg
Vulnerability : SQL injection vulnerabilites
Problem type : remote
Debian-specific: no
CVE Ids: CVE-2009-0542 CVE-2009-0543
Two
http://www.debian.org/security/faq
-
Package: proftpd-dfsg
Vulnerability : SQL injection vulnerabilites
Problem type : remote
Debian-specific: no
CVE Id : CVE-2009-0542 CVE-2009-0543
The security
> " ProFTPd has memory leakage bug when it executes the SIZE FTP command. By
> calling the FTP command SIZE 5000 times it possible to cause ProFTPd to
> consume over 300kB of memory. Exploiting this bug with more SIZE commands
> gives us simple DoS attack. Anonymous access is
1 - 100 of 121 matches
Mail list logo
