Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against ProFTPD Server Username Handling SQL Injection

Subscribe

Check Point Reference: CPAI-2009-057
Date Published:
Severity:
Source: Secunia Advisory: SA33842
Industry Reference(s): CVE-2009-0542
Protection Provided by: IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
ProFTPD Project ProFTPD 1.3.1 to 1.3.2rc2
Vulnerability Description
A vulnerability was reported in the ProFTPD server, a File Transfer Protocol (FTP) server mainly used in Linux distributions. The flaw is due to improper validation of a user-supplied username string before being used in an SQL query. A remote unauthenticated attacker can trigger this vulnerability by sending a malicious username to the target ProFTPD server and gain the privileges of a legitimate user.
Vulnerability Details
A remote attacker can exploit this vulnerability by specifying an SQL injection string in the username. This will cause the server to perform string transformation and facilitate the execution of arbitrary SQL on the back-end database.

Protection Overview
By enabling this protection, IPS-1 will detect and block attempts to access the ProFTPd server with a username that contains SQL statements.

To configure the defense, select your product from the list below and follow the related protection steps.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > FTP, and select the FTP Command Attacks protection group.
3. Click ProFTPd Username SQL Injection (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: FTP Commands
Description: ProFTPd Username SQL Injection