Ubuntu 8.04.4 LTS - Proftpd SQL exploit
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
proftpd-dfsg (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Hardy |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Proftpd version 1.3.1-6ubuntu1 exploit:
The variable substitution feature in the version of ProFTPD running on the remote host can be abused to conduct a SQL injection attack. For example, a remote attacker can bypass authentication using a specially crafted username containing a percent sign character ('%'), a single quote, and SQL code.
http://
http://
http://
http://
http://
http://
Solution: Upgrade to ProFTPD 1.3.2rc3 or later.
Could this be fixed in Ubuntu 8.04.4 LTS?
Lucid currently contains proftpd 1.3.2c-1ubuntu0.1, so it isn't vulnerable to this issue.