/
Bugzilla – Bug 3180
SQL injection vulnerability
Last modified: 2010-06-26 20:36:54 UTC
There was a SQL injection vulnerability reported, references: http://www.securityfocus.com/archive/1/500823 http://www.securityfocus.com/bid/33722/ http://milw0rm.com/exploits/8037 The flaw lies inside the variable substition feature of mod_sql. For example if a user types in %l as part of the username, mod_sql replaces that with his ip address before it executes the SQL query. A user can exploit this feature to bypass the protection of the sql_escapestring function: The sql_escapestring correctly replaces ' with \' to prevent SQL injection. But if the user enters %' as part of his username, which gets transformed to %\' by the escape function, mod_sql tries to substitute the variable. As %\ is an unknown variable it get's transformed to {UNKNOWN TAG}' - thus leaving the quote intact and allowing injection of arbritrary sql code. I think the proper solution is not to perform variable substition on user submitted content at all. Hopefully someone can fix this problem quickly.
Are you able to reproduce this on your server? If so, what does `proftpd -V' show?
Created attachment 2953 [details] version information and log output Proftpd version is 1.3.2rc2. I've attached the full 'proftpd -V'. Additionaly I've included a telnet session and SQL log output of a working injection.
I think that this has already been fixed in 1.3.2rc3 and later, as part of Bug#3124. This being the case, could you retry your test using the recently released proftpd-1.3.2?
1.3.2 indeed fixes the issue. Sorry for the dupe - but it may be important to know that Bug#3124 also allowed SQL injection.
No worries. Definitely better safe than sorry. =) *** This bug has been marked as a duplicate of bug 3124 ***