Improper neutralization of special elements used in an sql command ('sql injection') in ProFTPD - CVE-2009-0543
Published: June 9, 2009 / Updated: June 23, 2025
Vulnerability identifier: #VU111813
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2009-0543
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: ProFTPD
Affected software:
ProFTPD
ProFTPD
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypass SQL injection protection mechanisms via invalid, encoded multibyte characters, which are not properly handled in (1) mod_sql_mysql and (2) mod_sql_postgres.
How to mitigate CVE-2009-0543
Install update from vendor's repository.
Sources
- http://bugs.proftpd.org/show_bug.cgi?id=3173
- http://secunia.com/advisories/34268
- http://security.gentoo.org/glsa/glsa-200903-27.xml
- http://www.debian.org/security/2009/dsa-1730
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:061
- http://www.openwall.com/lists/oss-security/2009/02/11/4
- http://www.openwall.com/lists/oss-security/2009/02/11/5