ProFTPD mod_sqlpw Vulnerability

ProFTPD is a popular FTP server that ships with numerous Unix and Linux variants.

Compiling the mod_sqlpw module into ProFTPD makes it possible for local users to view the passwords of users who have connected to the ftp server. When the module is used, it writes information to wtmp. Unfortunately, it writes the password to wtmp where the username should be. The passwords can be seen when a command such as 'last' is used locally.


 

Privacy Statement
Copyright 2010, SecurityFocus