Launchpad.net

CVE 2007-2165

The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication, as demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved from /etc/passwd.

Related bugs and status

CVE-2007-2165 (Candidate) is related to these bugs:

Bug #132161: vulnerable to CVE-2007-2165

		In	Importance	Status
132161	vulnerable to CVE-2007-2165	proftpd (Ubuntu)	Undecided	Invalid
132161	vulnerable to CVE-2007-2165	proftpd (Debian)	Unknown	Fix Released
132161	vulnerable to CVE-2007-2165	proftpd (Ubuntu Dapper)	Undecided	Won't Fix
132161	vulnerable to CVE-2007-2165	proftpd (Ubuntu Edgy)	Undecided	Won't Fix
132161	vulnerable to CVE-2007-2165	proftpd-dfsg (Ubuntu)	Undecided	Fix Released
132161	vulnerable to CVE-2007-2165	proftpd-dfsg (Ubuntu Dapper)	Undecided	Invalid
132161	vulnerable to CVE-2007-2165	proftpd-dfsg (Ubuntu Edgy)	Undecided	Invalid
132161	vulnerable to CVE-2007-2165	proftpd (Ubuntu Feisty)	Undecided	Invalid
132161	vulnerable to CVE-2007-2165	proftpd-dfsg (Ubuntu Feisty)	Undecided	Won't Fix
132161	vulnerable to CVE-2007-2165	proftpd (Ubuntu Gutsy)	Undecided	Invalid
132161	vulnerable to CVE-2007-2165	proftpd-dfsg (Ubuntu Gutsy)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

MISC: http://bugs.debian.org...
CONFIRM: http://bugs.proftpd.or...
BID: 23546
SECTRACK: 1017931
SECUNIA: 24867
SECUNIA: 25724
MANDRIVA: MDKSA-2007:130
CONFIRM: https://bugzilla.redha...
FEDORA: FEDORA-2007-2613
SECUNIA: 27516
OSVDB: 34602
VUPEN: ADV-2007-1444
XF: proftpd-authapi-securi...