Authentication Bypass in ProFTPD Server by The Vendor ProFTPD
CVE-2007-2165

Currently unrated

Key Information:

Vendor: Proftpd Project
Status: Proftpd
Vendor: CVE Published:; 22 April 2007

🔔 Create Proftpd Project Vulnerability Alert

What is CVE-2007-2165?

In ProFTPD versions prior to 20070417, a vulnerability exists within the authentication API that can be exploited when multiple simultaneous authentication modules are configured. This flaw permits attackers to bypass the authentication mechanism by utilizing different modules for checking authentication versus retrieving authentication data. For instance, an attacker could leverage SQLAuthTypes Plaintext in mod_sql while pulling user data from /etc/passwd, compromising server security. This vulnerability emphasizes the importance of ensuring that authentication checks align with the respective data retrieval methods to safeguard against unauthorized access.

References

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419255

x_refsource_MISC

http://bugs.proftpd.org/show_bug.cgi?id=2922

x_refsource_CONFIRM

https://bugzilla.redhat.com/show_bug.cgi?id=237533

x_refsource_CONFIRM

Timeline

Vulnerability published
Apr 22, 2007
Vulnerability Reserved
Apr 22, 2007

JSON