cbcvebase.
CVE-2009-0542
published 2009-02-12

CVE-2009-0542: SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remote attackers to execute arbitrary SQL commands via a "%" (percent) character in…

PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
74.73%
99.4th percentile
SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remote attackers to execute arbitrary SQL commands via a "%" (percent) character in the username, which introduces a "'" (single quote) character during variable substitution by mod_sql.

Affected

4 ranges
VendorProductVersion rangeFixed in
debianproftpd-dfsg< proftpd-dfsg 1.3.2-1 (bookworm)proftpd-dfsg 1.3.2-1 (bookworm)
proftpd_projectproftpd
proftpd_projectproftpd
proftpd_projectproftpd

Detection & IOCsextracted from sources · hover to see the quote

commandUSER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; --
other% (percent character in FTP username triggering SQL injection via mod_sql)
  • Monitor FTP USER commands containing a literal '%' character in the username field, as this triggers unescaped single-quote injection in mod_sql queries.
  • Detect SQL UNION-based injection patterns in FTP login usernames, particularly patterns combining '%') with UNION SELECT targeting uid, gid, homedir, shell columns.
  • Inspect MySQL/database query logs for ProFTPD authentication queries containing UNION SELECT or comment sequences (--) originating from the userid field, indicating exploitation.
  • Exploitation allows authentication bypass with any password (e.g., '1'); alert on successful FTP logins where the username contains SQL metacharacters such as '%', UNION, or '--'.
  • LIMIT clause manipulation in the injected username can be used to authenticate as arbitrary accounts in the users table; monitor for LIMIT keyword in FTP USER strings.
  • ·This vulnerability only affects ProFTPD installations using the mod_sql module for SQL-based authentication; plain file-based authentication is not affected.
  • ·A related but distinct issue (CVE-2009-0543) only affects ProFTPD installs with NLS (National Language Support) enabled; the default ./configure disables NLS, so most standard builds are not affected by CVE-2009-0543.
  • ·The vulnerability is fixed in ProFTPD 1.3.2 (and 1.3.2a packages); only 1.3.1 through 1.3.2rc2 are vulnerable.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5MEDIUM
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.