Vulnerabilities > CVE-2003-0500 - SQL-Injection vulnerability in Proftpd Project Proftpd 1.2.9Rc1
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
SQL injection vulnerability in the PostgreSQL authentication module (mod_sql_postgres) for ProFTPD before 1.2.9rc1 allows remote attackers to execute arbitrary SQL and gain privileges by bypassing authentication or stealing passwords via the USER name.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
| description | ProFTPD 1.2.9RC1 (mod_sql) Remote SQL Injection Exploit. CVE-2003-0500. Remote exploit for linux platform |
| id | EDB-ID:43 |
| last seen | 2016-01-31 |
| modified | 2003-06-19 |
| published | 2003-06-19 |
| reporter | Spaine |
| source | https://www.exploit-db.com/download/43/ |
| title | ProFTPD 1.2.9RC1 - mod_sql Remote SQL Injection Exploit |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-338.NASL description runlevel [[email protected]] reported that ProFTPD last seen 2020-06-01 modified 2020-06-02 plugin id 15175 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15175 title Debian DSA-338-1 : proftpd - SQL injection code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-338. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15175); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2003-0500"); script_bugtraq_id(7974); script_xref(name:"DSA", value:"338"); script_name(english:"Debian DSA-338-1 : proftpd - SQL injection"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "runlevel [[email protected]] reported that ProFTPD's PostgreSQL authentication module is vulnerable to a SQL injection attack. This vulnerability could be exploited by a remote, unauthenticated attacker to execute arbitrary SQL statements, potentially exposing the passwords of other users, or to connect to ProFTPD as an arbitrary user without supplying the correct password." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2003/dsa-338" ); script_set_attribute( attribute:"solution", value: "For the stable distribution (woody) this problem has been fixed in version 1.2.4+1.2.5rc1-5woody2. We recommend that you update your proftpd package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:proftpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/06/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"proftpd", reference:"1.2.4+1.2.5rc1-5woody2")) flag++; if (deb_check(release:"3.0", prefix:"proftpd-common", reference:"1.2.4+1.2.5rc1-5woody2")) flag++; if (deb_check(release:"3.0", prefix:"proftpd-doc", reference:"1.2.4+1.2.5rc1-5woody2")) flag++; if (deb_check(release:"3.0", prefix:"proftpd-ldap", reference:"1.2.4+1.2.5rc1-5woody2")) flag++; if (deb_check(release:"3.0", prefix:"proftpd-mysql", reference:"1.2.4+1.2.5rc1-5woody2")) flag++; if (deb_check(release:"3.0", prefix:"proftpd-pgsql", reference:"1.2.4+1.2.5rc1-5woody2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family FTP NASL id PROFTPD_PGSQL_INSERTION.NASL description The remote FTP server is vulnerable to a SQL injection when it processes the USER command. An attacker may exploit this flaw to log into the remote host as any user. last seen 2020-06-01 modified 2020-06-02 plugin id 11768 published 2003-06-19 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11768 title PostgreSQL Authentication Module (mod_sql) for ProFTPD USER Name Parameter SQL Injection code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(11768); script_version("1.21"); script_cvs_date("Date: 2018/07/25 18:58:04"); script_cve_id("CVE-2003-0500"); script_bugtraq_id(7974); script_name(english:"PostgreSQL Authentication Module (mod_sql) for ProFTPD USER Name Parameter SQL Injection"); script_summary(english:"Performs a SQL insertion"); script_set_attribute(attribute:"synopsis", value: "It may be possible to read or modify arbitrary files on the remote server."); script_set_attribute(attribute:"description", value: "The remote FTP server is vulnerable to a SQL injection when it processes the USER command. An attacker may exploit this flaw to log into the remote host as any user."); script_set_attribute(attribute:"solution", value: "If the remote server is ProFTPd, upgrade to ProFTPD 1.2.10."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value:"2003/06/19"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/06/18"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:proftpd:proftpd"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"FTP"); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_dependencie("ftpserver_detect_type_nd_version.nasl"); script_require_keys("ftp/proftpd"); script_require_ports("Services/ftp", 21); exit(0); } # # The script code starts here : # include("global_settings.inc"); include("misc_func.inc"); include("ftp_func.inc"); if (report_paranoia < 1) exit(0, "This script is prone to False Positive."); port = get_ftp_port(default: 21); banner = get_ftp_banner(port:port); if( ! banner) exit(1, "No FTP banner on port "+port); if ("ProFTPD" >!< banner) exit(0, "The FTP server on port "+port+" is not ProFTPD."); soc = open_sock_tcp(port); if(!soc)exit(1, "Connection refused on port "+port); banner = ftp_recv_line(socket:soc); if (! banner || ! egrep(pattern:"^220.*proftp", string:banner, icase:TRUE) ) { close(soc); exit(1, "Could not read welcome message on port "+port); } send(socket:soc, data:'USER "\r\n'); r = recv_line(socket:soc, length:4096); close(soc); if(!r) exit(1, "No answer to bogus USER command on port "+port); soc = open_sock_tcp(port); if(!soc)exit(1, "Connection refused on port "+port); # The following causes a syntax error and makes the FTP # daemon close the session banner = ftp_recv_line(socket:soc); if(!banner) { close(soc); exit(1, "Could not read FTP banner on port "+port); } send(socket:soc, data: 'USER \'\r\n'); r = recv_line(socket:soc, length:4096, timeout: 3 * get_read_timeout()); if(!r) { security_hole(port); set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); } close(soc);