SQL Injection in ProFTPD's SQL Authentication

vendor:

ProFTPD

by:

milw0rm.com

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: ProFTPD

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

SQL Injection in ProFTPD’s SQL Authentication

The vulnerability is caused by improper handling of the '%' character in ProFTPD's SQL authentication. This leads to an SQL injection during login, allowing an attacker to bypass authentication and gain access to the system.

Mitigation:

Ensure that all user input is properly sanitized and validated.

Source

Exploit-DB raw data:

Just found out a problem with proftpd's sql authentication. The problem is easily reproducible if you login with username like:

USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; -- 

and a password of "1" (without quotes).

which leads to a successful login. Different account logins can be made successful using the limit clase (e.g appending "LIMIT 5,1" will make you login with as the 5th account in the users table).

As far as I can see in the mysql logs the query becomes:

SELECT userid, passwd, uid, gid, homedir, shell FROM users WHERE (userid='{UNKNOWN TAG}') and 1=2 union select 1,1,uid,gid,homedir,shell from users limit 1,1; -- ') LIMIT 1

I think the problem lies in the handling of the "%" character (probably that's some way to sanitize input to avoid format string things?).

Anyway, %' effectively makes the single quote unescaped and that eventually allows for an SQL injection during login.

# milw0rm.com [2009-02-10]