CVE-2009-0542

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remote attackers to execute arbitrary SQL commands via a "%" (percent) character in the username, which introduces a "'" (single quote) character during variable substitution by mod_sql.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-32798 remote multiple verified

AlpHaNiX · 2009-02-10

ProFTPd 1.3 - 'mod_sql' 'Username' SQL Injection

Source code queued for fetch — refresh in a moment.

EDB-8037 remote multiple verified text · 1 KB

gat3way · 2009-02-10

ProFTPd - 'mod_mysql' Authentication Bypass

text exploit Source: Exploit-DB

Just found out a problem with proftpd's sql authentication. The problem is easily reproducible if you login with username like:

USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; -- 

and a password of "1" (without quotes).

which leads to a successful login. Different account logins can be made successful using the limit clase (e.g appending "LIMIT 5,1" will make you login with as the 5th account in the users table).

As far as I can see in the mysql logs the query becomes:

SELECT userid, passwd, uid, gid, homedir, shell FROM users WHERE (userid='{UNKNOWN TAG}') and 1=2 union select 1,1,uid,gid,homedir,shell from users limit 1,1; -- ') LIMIT 1

I think the problem lies in the handling of the "%" character (probably that's some way to sanitize input to avoid format string things?).

Anyway, %' effectively makes the single quote unescaped and that eventually allows for an SQL injection during login.

# milw0rm.com [2009-02-10]

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`1.3.2-1`
sid	Fixed	`1.3.2-1`
forky	Fixed	`1.3.2-1`
bullseye	Fixed	`1.3.2-1`
bookworm	Fixed	`1.3.2-1`

References

https://security-tracker.debian.org/tracker/CVE-2009-0542

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.