Ubuntu
proftpd-dfsg package

Ubuntu 8.04.4 LTS - Proftpd SQL exploit

  1. Hardy (8.04)
  2. Bug #997113
Bug #997113 reported by Martin Malmgren
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
proftpd-dfsg (Ubuntu)
Fix Released
Undecided
Unassigned
Hardy
Won't Fix
Undecided
Unassigned

Bug Description

Proftpd version 1.3.1-6ubuntu1 exploit:

The variable substitution feature in the version of ProFTPD running on the remote host can be abused to conduct a SQL injection attack. For example, a remote attacker can bypass authentication using a specially crafted username containing a percent sign character ('%'), a single quote, and SQL code.

http://www.securityfocus.com/archive/1/500823/30/0/threaded

http://bugs.proftpd.org/show_bug.cgi?id=3124

http://bugs.proftpd.org/show_bug.cgi?id=3180

http://www.proftpd.org/docs/RELEASE_NOTES-1.3.2rc3
http://www.proftpd.org/docs/NEWS-1.3.2rc3

http://comments.gmane.org/gmane.comp.security.oss.general/1489

Solution: Upgrade to ProFTPD 1.3.2rc3 or later.

Could this be fixed in Ubuntu 8.04.4 LTS?

CVE References

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Lucid currently contains proftpd 1.3.2c-1ubuntu0.1, so it isn't vulnerable to this issue.

affects: proftpd (Ubuntu) → proftpd-dfsg (Ubuntu)
visibility: private → public
Changed in proftpd-dfsg (Ubuntu):
status: New → Invalid
Revision history for this message
Martin Malmgren (martin-malmgren) wrote :

I know. Isn't 8.04.4 supported until April 2013?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Oh, sorry about that, I had misread that as 10.04 for some reason.

Since proftpd-dfsg is in universe, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Although we don't track universe packages for 8.04 in our CVE tracker any longer, if a debdiff is submitted, we will sponsor it and get it uploaded to 8.04.

Changed in proftpd-dfsg (Ubuntu):
status: Invalid → Confirmed
Changed in proftpd-dfsg (Ubuntu Hardy):
status: New → Confirmed
Changed in proftpd-dfsg (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. hardy has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against hardy is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in proftpd-dfsg (Ubuntu Hardy):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.