/
Bugzilla – Bug 3173
Encoding-dependent SQL injection vulnerability
Last modified: 2009-02-05 14:36:18 UTC
An attacker able to submit crafted strings to an application that will embed those strings in SQL commands can use invalidly-encoded multibyte characters to bypass standard string-escaping methods, resulting in possible injection of hostile SQL commands into the database. The attacks covered here work in any multibyte encoding. This class of vulnerability has been seen in other products as well: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2314 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2753 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2384 Affects ProFTPD 1.3.1 and later (but NOT earlier versions) that have NLS support enabled. If your LANG environment variable uses the "C" or "POSIX" locale, you are not vulnerable.
Created attachment 2945 [details] Fixes vulnerability in mod_sql_mysql, mod_sql_postgres
Created attachment 2946 [details] Version of the patch for proftpd-1.3.1
Patch committed to CVS.
Resolved in 1.3.2.