lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <27996002.151234326745581.JavaMail.root@mail.qmailhosting.net>
Date: Tue, 10 Feb 2009 20:32:25 -0800 (PST)
From: Sergio Aguayo <sergioag@...ilhosting.net>
To: bugtraq@...urityfocus.com
Subject: Re: Another SQL injection in ProFTPd with  mod_mysql (probably
 postgres as well)

Maybe this is related to http://bugs.proftpd.org/show_bug.cgi?id=3173  ?

That bug only applies to 1.3.1, so 1.3.0 is not affected. 1.3.2 is supposed to fix this bug.

Sergio Aguayo

----- Original Message -----
From: gat3way@...3way.eu
To: bugtraq@...urityfocus.com
Sent: Tuesday, February 10, 2009 2:49:53 PM GMT -05:00 Colombia
Subject: Another SQL injection in ProFTPd with  mod_mysql (probably postgres as well)

Hello,

Just found out a problem with proftpd's sql authentication. The problem is easily reproducible if you login with username like:

USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; -- 

and a password of "1" (without quotes).

which leads to a successful login. Different account logins can be made successful using the limit clase (e.g appending "LIMIT 5,1" will make you login with as the 5th account in the users table).

As far as I can see in the mysql logs the query becomes:

SELECT userid, passwd, uid, gid, homedir, shell FROM users WHERE (userid='{UNKNOWN TAG}') and 1=2 union select 1,1,uid,gid,homedir,shell from users limit 1,1; -- ') LIMIT 1

I think the problem lies in the handling of the "%" character (probably that's some way to sanitize input to avoid format string things?).

Anyway, %' effectively makes the single quote unescaped and that eventually allows for an SQL injection during login.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ