SQL Injection Flaw in ProFTPD Server by ProFTPD
CVE-2009-0542

Currently unrated

Key Information:

Vendor: Proftpd Project
Status: Proftpd
Vendor: CVE Published:; 12 February 2009

🔔 Create Proftpd Project Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 58%

What is CVE-2009-0542?

The ProFTPD Server versions 1.3.1 through 1.3.2rc2 are subject to an SQL injection vulnerability that enables remote attackers to exploit the system by sending specially crafted usernames. This injection leverages the '%' character, which manipulates the username input to include a single quote, leading to arbitrary SQL command execution through mod_sql. This issue poses significant security risks for server integrity and data confidentiality.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2009-0542 - Proof of Concept

References

http://www.debian.org/security/2009/dsa-1730

vendor-advisoryx_refsource_DEBIAN

http://www.securityfocus.com/archive/1/500833/100/0/threaded

mailing-listx_refsource_BUGTRAQ

http://www.openwall.com/lists/oss-security/2009/02/11/5

mailing-listx_refsource_MLIST

EPSS Score

58% chance of being exploited in the next 30 days.

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Feb 12, 2009
👾
Exploit known to exist
Feb 12, 2009
Vulnerability published
Feb 12, 2009
Vulnerability Reserved
Feb 12, 2009

CVE-2009-0542 Data

JSON