Bugtraq mailing list archives
mod_sqlpw Password Caching Bug
From: Miller <joemiler () CLARK NET>
Date: Mon, 11 Dec 2000 14:55:48 -0500
The mod_sqlpw module for ProFTPD caches the user id and password information returned from the mysql database when attempting to verify a password. When the "user" command is used to switch to another account, the cached password is not cleard, and the password entered is checked against the cached password. If a user knows the password for a valid account on a ProFTPD system using mod_sqlpw, they may log into any other account in the database by doing the following: 1. FTP to the host running ProFTPD/mod_sqlpw. 2. At the login prompt, enter the user id of the known account "bob". 3. When prompted for a password, enter an invalid password for the account "bob". Authentication will fail. 4. Type "user alice", where "alice" is another account in the user database. 5. When prompted for a password, enter the correct password for "bob". At this point, the user "bob" is logged in as the user "alice" without knowing alice's password. Joe Miller
Current thread:
- mod_sqlpw Password Caching Bug Miller (Dec 13)
- Re: mod_sqlpw Password Caching Bug Todd C. Campbell (Dec 14)