Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2009-0542

SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remote attackers to execute arbitrary SQL commands via a "%" (percent) character in the username, which introduces a "'" (single quote) character during variable substitution by mod_sql.

Related bugs and status

CVE-2009-0542 (Candidate) is related to these bugs:

Bug #508738: proftpd sql injection

		In	Importance	Status
508738	proftpd sql injection	proftpd-dfsg (Ubuntu)	High	Fix Released
508738	proftpd sql injection	proftpd-dfsg (Ubuntu Jaunty)	High	Fix Released
508738	proftpd sql injection	proftpd-dfsg (Ubuntu Lucid)	High	Fix Released

Bug #997113: Ubuntu 8.04.4 LTS - Proftpd SQL exploit

Summary				In	Importance	Status
	997113	Ubuntu 8.04.4 LTS - Proftpd SQL exploit		proftpd-dfsg (Ubuntu)	Undecided	Fix Released
	997113	Ubuntu 8.04.4 LTS - Proftpd SQL exploit		proftpd-dfsg (Ubuntu Hardy)	Undecided	Won't Fix

See the

CVE page on Mitre.org for more details.

References

MLIST: [oss-security] 2009021...
MLIST: [oss-security] 2009021...
MLIST: [oss-security] 2009021...
CONFIRM: http://bugs.proftpd.or...
MANDRIVA: MDVSA-2009:061
GENTOO: GLSA-200903-27
SECUNIA: 34268
DEBIAN: DSA-1730
EXPLOIT-DB: 8037
BUGTRAQ: 20090210 Another SQL i...
BUGTRAQ: 20090210 ProFTPd with ...
BUGTRAQ: 20090210 Re: Another S...
BUGTRAQ: 20090211 Re: Re: Anoth...