1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Security Threats
  3. Vulnerability Reports
  4. SA200900718

ProFTPD Character Encoding SQL Injection Vulnerability

Report ID: SA200900718
Source: Unknown
Date of Discovery: 09.02.2009
Criticality: Moderate
Affects:
ProFTPD 1.3.x
Compromise From: From remote
Compromise Type: Manipulation of data

Summary

A vulnerability has been reported in ProFTPD, which can be exploited by malicious people to conduct SQL injection attacks.

Detailed Description

The vulnerability is caused due to the application improperly setting the character encoding prior to performing SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code in an environment using a multi-byte character encoding.

Successful exploitation requires that NLS support is enabled.

The vulnerability is reported in version 1.3.1 and later.

Solution

Update to version 1.3.2.

Original Reference

-