/ Bug 3173 – Encoding-dependent SQL injection vulnerability
Bug 3173 - Encoding-dependent SQL injection vulnerability
: Encoding-dependent SQL injection vulnerability
Status: CLOSED FIXED
Product: ProFTPD
mod_sql
: 1.3.1
: All All
: P1 critical
Assigned To: TJ Saunders
:
:
:
:
  Show dependency treegraph
 
Reported: 2009-02-05 13:45 UTC by TJ Saunders
Modified: 2009-02-05 14:36 UTC (History)
4 users (show)

See Also:


Attachments
Fixes vulnerability in mod_sql_mysql, mod_sql_postgres (5.81 KB, patch)
2009-02-05 13:49 UTC, TJ Saunders
Details
Version of the patch for proftpd-1.3.1 (7.91 KB, patch)
2009-02-05 13:51 UTC, TJ Saunders
Details

Note You need to log in before you can comment on or make changes to this bug.
Description TJ Saunders 2009-02-05 13:45:51 UTC
An attacker able to submit crafted strings to an application that will embed
those strings in SQL commands can use invalidly-encoded multibyte characters to
bypass standard string-escaping methods, resulting in possible injection of
hostile SQL commands into the database. The attacks covered here work in any
multibyte encoding.

This class of vulnerability has been seen in other products as well:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2314
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2753
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2384

Affects ProFTPD 1.3.1 and later (but NOT earlier versions) that have NLS
support enabled.  If your LANG environment variable uses the "C" or "POSIX"
locale, you are not vulnerable.
Comment 1 TJ Saunders 2009-02-05 13:49:04 UTC
Created attachment 2945 [details]
Fixes vulnerability in mod_sql_mysql, mod_sql_postgres
Comment 2 TJ Saunders 2009-02-05 13:51:34 UTC
Created attachment 2946 [details]
Version of the patch for proftpd-1.3.1
Comment 3 TJ Saunders 2009-02-05 13:54:39 UTC
Patch committed to CVS.
Comment 4 TJ Saunders 2009-02-05 14:36:18 UTC
Resolved in 1.3.2.