485125 – (CVE-2009-0542) CVE-2009-0542 proftpd: SQL injection during login

Bug 485125 (CVE-2009-0542) - CVE-2009-0542 proftpd: SQL injection during login

Summary: CVE-2009-0542 proftpd: SQL injection during login

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2009-0542
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	485129 485130 485131
Blocks:
TreeView+	depends on / blocked

Reported:	2009-02-11 18:28 UTC by Vincent Danen
Modified:	2019-09-29 12:28 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-03-29 09:26:12 UTC
Embargoed:

Attachments	(Terms of Use)
exploit for this proftpd issue, from bugtraq (2.78 KB, application/x-perl) 2009-02-11 18:37 UTC, Vincent Danen	no flags	Details
View All

Description Vincent Danen 2009-02-11 18:28:15 UTC

An SQL injection vulnerability was reported on bugtraq that could allow a user to login with any password.

References:

Gentoo BTS: http://bugs.gentoo.org/show_bug.cgi?id=258450

Bugtraq initial post: http://www.securityfocus.com/archive/1/500823/30/0/threaded

Comment 1 Vincent Danen 2009-02-11 18:33:00 UTC

The upstream bug is here:  http://bugs.proftpd.org/show_bug.cgi?id=3180

Comment 2 Vincent Danen 2009-02-11 18:37:43 UTC

Created attachment 331600 [details]
exploit for this proftpd issue, from bugtraq

This comes from bugtraq: http://www.securityfocus.com/archive/1/500851/30/0/threaded

Comment 3 Vincent Danen 2009-02-11 18:59:36 UTC

Created Fedora tracking bugs for proftpd:

9: bug #485129
10: bug #485130
rawhide: bug #485131

Comment 4 Vincent Danen 2009-02-11 19:08:26 UTC

This is fixed in proftpd 1.3.2 and seems to only affect 1.3.1.  The upstream bug with this fix is http://bugs.proftpd.org/show_bug.cgi?id=3124.

Comment 5 Vincent Danen 2009-02-11 21:18:06 UTC

The gentoo BTS also refers to a similar SQL-ish issue, which is upstream bug http://bugs.proftpd.org/show_bug.cgi?id=3173.  That issue, however, does not affect us as it only affects protftpd installs with NLS support enabled, which we do not enable (and the default in ./configure is disabled).

Noting this here as the gentoo BTS mentions both issues in the report, but only the one noted above actually affects us (although if Fedora updates to 1.3.2, this will be dealt with at the same time).

Comment 6 Vincent Danen 2009-02-12 16:14:10 UTC

This issue has been assigned CVE-2009-0542.  The second issue that doesn't affect us has been assigned CVE-2009-0543 (just noting it here for reference).

Comment 7 Fedora Update System 2009-08-03 15:32:45 UTC

proftpd-1.3.2a-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/proftpd-1.3.2a-2.fc10

Comment 8 Fedora Update System 2009-08-19 22:50:46 UTC

proftpd-1.3.2a-3.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/proftpd-1.3.2a-3.fc10

Comment 9 Fedora Update System 2009-09-02 11:12:10 UTC

proftpd-1.3.2a-4.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/proftpd-1.3.2a-4.fc10

Comment 10 Fedora Update System 2009-09-07 15:08:12 UTC

proftpd-1.3.2a-5.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/proftpd-1.3.2a-5.fc10

Comment 11 Fedora Update System 2009-09-24 05:25:38 UTC

proftpd-1.3.2a-5.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.