CVE-2009-0543
published 2009-02-12CVE-2009-0543: ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypass SQL injection protection mechanisms via invalid, encoded multibyte…
PriorityP348medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
14.89%
96.3th percentile
ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypass SQL injection protection mechanisms via invalid, encoded multibyte characters, which are not properly handled in (1) mod_sql_mysql and (2) mod_sql_postgres.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | proftpd-dfsg | < proftpd-dfsg 1.3.2-1 (bookworm) | proftpd-dfsg 1.3.2-1 (bookworm) |
| proftpd | proftpd | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
vendor_redhat5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3qqr-wq7g-hxwh: ProFTPD Server 1
ghsa_unreviewed·2022-05-02
CVE-2009-0543 [MEDIUM] CWE-89 GHSA-3qqr-wq7g-hxwh: ProFTPD Server 1
ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypass SQL injection protection mechanisms via invalid, encoded multibyte characters, which are not properly handled in (1) mod_sql_mysql and (2) mod_sql_postgres.
OSV
CVE-2009-0543: ProFTPD Server 1
osv·2009-02-12·CVSS 6.8
CVE-2009-0543 [MEDIUM] CVE-2009-0543: ProFTPD Server 1
ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypass SQL injection protection mechanisms via invalid, encoded multibyte characters, which are not properly handled in (1) mod_sql_mysql and (2) mod_sql_postgres.
Red Hat
OpenLDAP: Doesn't properly handle NULL character in subject Common Name
vendor_redhat·2009-08-10·CVSS 5.9
CVE-2009-3767 [MEDIUM] OpenLDAP: Doesn't properly handle NULL character in subject Common Name
OpenLDAP: Doesn't properly handle NULL character in subject Common Name
libraries/libldap/tls_o.c in OpenLDAP 2.2 and 2.4, and possibly other versions, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Statement: This issue was addressed in the openldap packages as shipped with Red Hat Enterprise Linux 5 and 4 via: https://rhn.redhat.com/errata/RHSA-2010-0198.html and https://rhn.redhat.com/errata/RHSA-2010-0543.html respectively.
The Red Hat Security Response Team has rated this issue as having moderate security imp
Debian
CVE-2009-0543: proftpd-dfsg - ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypas...
vendor_debian·2009·CVSS 6.8
CVE-2009-0543 [MEDIUM] CVE-2009-0543: proftpd-dfsg - ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypas...
ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypass SQL injection protection mechanisms via invalid, encoded multibyte characters, which are not properly handled in (1) mod_sql_mysql and (2) mod_sql_postgres.
Scope: local
bookworm: resolved (fixed in 1.3.2-1)
bullseye: resolved (fixed in 1.3.2-1)
forky: resolved (fixed in 1.3.2-1)
sid: resolved (fixed in 1.3.2-1)
trixie: resolved (fixed in 1.3.2-1)
No detection rules found.
http://bugs.proftpd.org/show_bug.cgi?id=3173http://secunia.com/advisories/34268http://security.gentoo.org/glsa/glsa-200903-27.xmlhttp://www.debian.org/security/2009/dsa-1730http://www.mandriva.com/security/advisories?name=MDVSA-2009:061http://www.openwall.com/lists/oss-security/2009/02/11/4http://www.openwall.com/lists/oss-security/2009/02/11/5http://bugs.proftpd.org/show_bug.cgi?id=3173http://secunia.com/advisories/34268http://security.gentoo.org/glsa/glsa-200903-27.xmlhttp://www.debian.org/security/2009/dsa-1730http://www.mandriva.com/security/advisories?name=MDVSA-2009:061http://www.openwall.com/lists/oss-security/2009/02/11/4http://www.openwall.com/lists/oss-security/2009/02/11/5
2009-02-12
Published