/ Bug 3180 – SQL injection vulnerability
Bug 3180 - SQL injection vulnerability
: SQL injection vulnerability
Status: CLOSED DUPLICATE of bug 3124
Product: ProFTPD
mod_sql
: CVS
: PC All
: P1 critical
Assigned To: TJ Saunders
:
:
:
:
  Show dependency treegraph
 
Reported: 2009-02-11 07:13 UTC by Shino
Modified: 2010-06-26 20:36 UTC (History)
2 users (show)

See Also:


Attachments
version information and log output (3.83 KB, text/plain)
2009-02-11 13:16 UTC, Shino
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Shino 2009-02-11 07:13:08 UTC
There was a SQL injection vulnerability reported, references:
http://www.securityfocus.com/archive/1/500823
http://www.securityfocus.com/bid/33722/
http://milw0rm.com/exploits/8037

The flaw lies inside the variable substition feature of mod_sql.

For example if a user types in %l as part of the username, mod_sql replaces
that with his ip address before it executes the SQL query. A user can exploit
this feature to bypass the protection of the sql_escapestring function:

The sql_escapestring correctly replaces ' with \' to prevent SQL injection. But
if the user enters %' as part of his username, which gets transformed to %\' by
the escape function, mod_sql tries to substitute the variable. As %\ is an
unknown variable it get's transformed to {UNKNOWN TAG}' - thus leaving the
quote intact and allowing injection of arbritrary sql code.

I think the proper solution is not to perform variable substition on user
submitted content at all.

Hopefully someone can fix this problem quickly.
Comment 1 TJ Saunders 2009-02-11 12:11:43 UTC
Are you able to reproduce this on your server?  If so, what does `proftpd -V'
show?
Comment 2 Shino 2009-02-11 13:16:20 UTC
Created attachment 2953 [details]
version information and log output

Proftpd version is 1.3.2rc2. I've attached the full 'proftpd -V'. Additionaly
I've included a telnet session and SQL log output of a working injection.
Comment 3 TJ Saunders 2009-02-11 13:20:59 UTC
I think that this has already been fixed in 1.3.2rc3 and later, as part of
Bug#3124.

This being the case, could you retry your test using the recently released
proftpd-1.3.2?
Comment 4 Shino 2009-02-11 13:58:07 UTC
1.3.2 indeed fixes the issue. Sorry for the dupe - but it may be important to
know that Bug#3124 also allowed SQL injection.
Comment 5 TJ Saunders 2009-02-11 14:02:13 UTC
No worries.  Definitely better safe than sorry. =)

*** This bug has been marked as a duplicate of bug 3124 ***