SB2009060903 - Improper neutralization of special elements used in an sql command ('sql injection') in ProFTPD
Published: June 9, 2009 Updated: June 23, 2025
Security Bulletin ID
SB2009060903
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper neutralization of special elements used in an sql command ('sql injection') (CVE-ID: CVE-2009-0543)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypass SQL injection protection mechanisms via invalid, encoded multibyte characters, which are not properly handled in (1) mod_sql_mysql and (2) mod_sql_postgres.
Remediation
Install update from vendor's website.
References
- http://bugs.proftpd.org/show_bug.cgi?id=3173
- http://secunia.com/advisories/34268
- http://security.gentoo.org/glsa/glsa-200903-27.xml
- http://www.debian.org/security/2009/dsa-1730
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:061
- http://www.openwall.com/lists/oss-security/2009/02/11/4
- http://www.openwall.com/lists/oss-security/2009/02/11/5