oss-sec mailing list archives

Re: CVE request for proftpd


From: TJ Saunders <tj () castaglia org>
Date: Wed, 11 Feb 2009 10:58:05 -0800 (PST)


An SQL injection vulnerability in proftpd was reported on bugtraq
yesterday that could allow a user to login to proftpd with any password
if they use mysql for authentication (and, presumably, postgresql).

References:

http://www.securityfocus.com/archive/1/500823/30/0/threaded
http://bugs.gentoo.org/show_bug.cgi?id=258450
http://bugs.proftpd.org/show_bug.cgi?id=3180
https://bugzilla.redhat.com/show_bug.cgi?id=485125

This has been reported on the ProFTPD Bugzilla:

  http://bugs.proftpd.org/show_bug.cgi?id=3180

As discussed there, this is a duplicate of an earlier bug:

  http://bugs.proftpd.org/show_bug.cgi?id=3124

and has been fixed in ProFTPD 1.3.2rc3 and later.

Cheers,
TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   There is a pleasure in the pathless woods,
   There is a rapture on the lonely shore,
   There is society, where none intrudes,
   By the deep sea and music in its roar:
   I love not man the less, but Nature more,
   From these our interviews, in which I steal
   From all I may be, or have been before,
   To mingle with the Universe, and feel
   What I can ne'er express, yet cannot all conceal.
   
        -Lord Byron
   
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Current thread: