#VU111813 Improper neutralization of special elements used in an sql command ('sql injection') in ProFTPD - CVE-2009-0543

Cybersecurity Help s.r.o.

Published: 2009-06-09 | Updated: 2025-06-23

Vulnerability identifier: #VU111813

Vulnerability risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2009-0543

CWE-ID: CWE-89

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
ProFTPD
Server applications / File servers (FTP/HTTP)

Vendor: ProFTPD

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypass SQL injection protection mechanisms via invalid, encoded multibyte characters, which are not properly handled in (1) mod_sql_mysql and (2) mod_sql_postgres.

Mitigation
Install update from vendor's repository.

Vulnerable software versions

ProFTPD: All versions

External links
https://bugs.proftpd.org/show_bug.cgi?id=3173
https://secunia.com/advisories/34268
https://security.gentoo.org/glsa/glsa-200903-27.xml
https://www.debian.org/security/2009/dsa-1730
https://www.mandriva.com/security/advisories?name=MDVSA-2009:061
https://www.openwall.com/lists/oss-security/2009/02/11/4
https://www.openwall.com/lists/oss-security/2009/02/11/5

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Improper neutralization of special elements used in an sql command ('sql injection') in ProFTPD