Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

proftpd: Several SQL injection vulnerabilities

Related Vulnerabilities: CVE-2009-0543   CVE-2009-0542  

Source

Debian Bug report logs - #516388
proftpd: Several SQL injection vulnerabilities

version graph

Package: proftpd; Maintainer for proftpd is (unknown);

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Sat, 21 Feb 2009 05:24:01 UTC

Severity: grave

Tags: security

Fixed in version proftpd-dfsg/1.3.2-1

Done: "Francesco P. Lovergine" <frankie@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Francesco Paolo Lovergine <frankie@debian.org>:
Bug#516388; Package proftpd. (Sat, 21 Feb 2009 05:24:04 GMT) (full text, mbox, link).

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Francesco Paolo Lovergine <frankie@debian.org>. (Sat, 21 Feb 2009 05:24:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: proftpd: Several SQL injection vulnerabilities
Date: Sat, 21 Feb 2009 16:21:51 +1100
Package: proftpd
Severity: grave
Tags: security
Justification: user security hole

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for proftpd.

CVE-2009-0543[0]:
| ProFTPD Server 1.3.1, with NLS support enabled, allows remote
| attackers to bypass SQL injection protection mechanisms via invalid,
| encoded multibyte characters, which are not properly handled in (1)
| mod_sql_mysql and (2) mod_sql_postgres.

CVE-2009-0542[1]:
| SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2
| allows remote attackers to execute arbitrary SQL commands via a "%"
| (percent) character in the username, which introduces a "'" (single
| quote) character during variable substitution by mod_sql.

The postgresql part should still be vulnerable as discussed via
previous mail. The second issue seems to be still unaddressed. It needs
to be investigated, whether upstream's fix is complete, since it doesn't
seem to use the usual escaping functions.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0543
    http://security-tracker.debian.net/tracker/CVE-2009-0543
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0542
    http://security-tracker.debian.net/tracker/CVE-2009-0542

Information forwarded to debian-bugs-dist@lists.debian.org, Francesco Paolo Lovergine <frankie@debian.org>:
Bug#516388; Package proftpd. (Tue, 24 Feb 2009 09:00:02 GMT) (full text, mbox, link).

Acknowledgement sent to Milen Rangelov <gat3way@gat3way.eu>:
Extra info received and forwarded to list. Copy sent to Francesco Paolo Lovergine <frankie@debian.org>. (Tue, 24 Feb 2009 09:00:02 GMT) (full text, mbox, link).

Message #10 received at 516388@bugs.debian.org (full text, mbox, reply):

From: Milen Rangelov <gat3way@gat3way.eu>
To: 516388@bugs.debian.org
Subject: proftpd: Several SQL injection vulnerabilities
Date: Tue, 24 Feb 2009 10:58:41 +0200
Since I am the "culprit" that reported the second bug (CVE-2009-0542), I can  
confirm it affects debian's proftpd packages in testing/unstable 
repositories. That's because I discovered it on my debian system.

My proftpd version is 1.3.1-16.

According to the ProFTPD team, the bug is fixed in 1.3.2 rc3 (1.3.2 is not 
vulnerable, 1.3.2 rc1 and rc2 are vulnerable), so upgrading to 1.3.2 should 
fix the issue.

Reply sent to "Francesco P. Lovergine" <frankie@debian.org>:
You have taken responsibility. (Tue, 24 Feb 2009 11:27:10 GMT) (full text, mbox, link).

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Tue, 24 Feb 2009 11:27:10 GMT) (full text, mbox, link).

Message #15 received at 516388-done@bugs.debian.org (full text, mbox, reply):

From: "Francesco P. Lovergine" <frankie@debian.org>
To: Milen Rangelov <gat3way@gat3way.eu>, 516388-done@bugs.debian.org
Subject: Re: Bug#516388: proftpd: Several SQL injection vulnerabilities
Date: Tue, 24 Feb 2009 12:26:54 +0100
Package: proftpd-dfsg
Version: 1.3.2-1

Note that 1.3.1-17 also partially fixes CVE-2009-0543. That bug
does not apply to 1.3.0. Next time would be better reporting
separately each issue.

-- 
Francesco P. Lovergine

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 10 May 2009 07:36:45 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:43:52 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started