#VU111813 Improper neutralization of special elements used in an sql command ('sql injection') in ProFTPD - CVE-2009-0543
Published: June 9, 2009 / Updated: June 23, 2025
Vulnerability identifier: #VU111813
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2009-0543
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
ProFTPD
ProFTPD
Software vendor:
ProFTPD
ProFTPD
Description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypass SQL injection protection mechanisms via invalid, encoded multibyte characters, which are not properly handled in (1) mod_sql_mysql and (2) mod_sql_postgres.
Remediation
Install update from vendor's repository.
External links
- http://bugs.proftpd.org/show_bug.cgi?id=3173
- http://secunia.com/advisories/34268
- http://security.gentoo.org/glsa/glsa-200903-27.xml
- http://www.debian.org/security/2009/dsa-1730
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:061
- http://www.openwall.com/lists/oss-security/2009/02/11/4
- http://www.openwall.com/lists/oss-security/2009/02/11/5