lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <49A47F2E.40106@osev.de>
Date: Wed, 25 Feb 2009 00:13:50 +0100
From: Benjamin Milde <bmilde@...v.de>
To: bugtraq@...urityfocus.com
Subject: Re: Another SQL injection in ProFTPd with mod_mysql (probably postgres
 as well)

Reproduceable under Gentoo with Proftpd 1.3.1 - But not under debian
etch with Proftpd 1.3.0

The newst Proftpd in Gentoo is 1.3.2-rc2, but there seems to be an
Mysql-related patch in the build-file now. I also tested vanilla
1.3.2-rc4 and 1.3.2, with all three the sql-injection is not
reproduceable for me and the query is escaped.

It is also possible to inject your own strings (and breaking the
proftpd-cage) with an user name like this:

%') and 1=2 union (select
<name>,1,<uid>,<gid>,0x2F,0x2F62696E2F62617368); -- a

Name can be anything, uid and gid let you select any username with
access to the complete filesystem. Only if you use uid=0 and gid=0 root
becomes nobody and nogroup. Other values seem to work.

- B. Milde

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ