CVE-2009-0542

Name of the Vulnerable Software and Affected Versions ProFTPD Server versions 1.3.1 through 1.3.2rc2 proftpd-doc (affected versions not specified) proftpd-mod-pgsql (affected versions not specified) proftpd-mod-mysql (affected versions not specified) proftpd (affected versions not specified) proftpd-mod-ldap (affected versions not specified) proftpd-basic (affected versions not specified)

Description The issue allows remote attackers to execute arbitrary SQL commands via a "%" (percent) character in the username, which introduces a "'" (single quote) character during variable substitution by mod sql. This can lead to a violation of confidentiality, integrity, and availability of protected information. The exploitation of the vulnerabilities can be carried out remotely.

Recommendations For ProFTPD Server versions 1.3.1 through 1.3.2rc2, consider disabling the mod sql module until a patch is available. For proftpd-doc, proftpd-mod-pgsql, proftpd-mod-mysql, proftpd, proftpd-mod-ldap, and proftpd-basic, at the moment, there is no information about a newer version that contains a fix for this vulnerability.