Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-0542

CWE-89 โ€” SQL Injection9 documents8 sources
Severity
7.5HIGH
EPSS
58.5%
top 1.79%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Proftpd Project Proftpd
Timeline
PublishedFeb 12
Latest updateMay 2

Description

SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remote attackers to execute arbitrary SQL commands via a "%" (percent) character in the username, which introduces a "'" (single quote) character during variable substitution by mod_sql.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

โ–ถDebianproftpd-dfsg< 1.3.2-1+3
โ–ถNVDproftpd_project/proftpd1.3.1, 1.3.2, 1.3.2_rc2+2

๐Ÿ”ดVulnerability Details

3
GHSA
GHSA-m4rf-c9xj-c2gp: SQL injection vulnerability in ProFTPD Server 1โ†—2022-05-02
โ–ถ
CVEList
CVE-2009-0542: SQL injection vulnerability in ProFTPD Server 1โ†—2009-02-12
โ–ถ
OSV
CVE-2009-0542: SQL injection vulnerability in ProFTPD Server 1โ†—2009-02-12
โ–ถ

๐Ÿ’ฅExploits & PoCs

2
Exploit-DB
ProFTPd 1.3 - 'mod_sql' 'Username' SQL Injectionโ†—2009-02-10
โ–ถ
Exploit-DB
ProFTPd - 'mod_mysql' Authentication Bypassโ†—2009-02-10
โ–ถ

๐Ÿ“‹Vendor Advisories

2
Red Hat
proftpd: SQL injection during loginโ†—2009-02-10
โ–ถ
Debian
CVE-2009-0542: proftpd-dfsg - SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remo...โ†—2009
โ–ถ

๐Ÿ’ฌCommunity

1
Bugzilla
CVE-2009-0542 proftpd: SQL injection during loginโ†—2009-02-11
โ–ถ