CVE-2003-0500

Name of the Vulnerable Software and Affected Versions: ProFTPD versions 1.2.9rc1 and earlier

Description: A SQL injection vulnerability exists in the PostgreSQL authentication module for ProFTPD, allowing remote attackers to execute arbitrary SQL and gain privileges by bypassing authentication or stealing passwords via the USER name. This is caused by the mod sql postgres backend module failing to properly filter escape strings, enabling a remote attacker to insert arbitrary SQL code during login and gain unauthorized access to the server.

Recommendations: For ProFTPD versions 1.2.9rc1 and earlier, update to version 1.2.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the mod sql postgres backend module until a patch is available. Avoid using the USER name field in a way that could allow arbitrary SQL code injection until the issue is resolved.