CVE-2009-0543 – ProFTPd - 'mod_mysql' Authentication Bypass
https://notcve.org/view.php?id=CVE-2009-0543
ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypass SQL injection protection mechanisms via invalid, encoded multibyte characters, which are not properly handled in (1) mod_sql_mysql and (2) mod_sql_postgres. ProFTPD Server v1.3.1, con soporte NLS habilitado, permite a atacantes remotos evitar los mecanismos de protección de inyección SQL a través de caracteres multibyte inválidos y codificados, que no son correctamente manejados en (1) mod_sql_mysql y (2) mod_sql_postgres. • https://www.exploit-db.com/exploits/8037 http://bugs.proftpd.org/show_bug.cgi?id=3173 http://secunia.com/advisories/34268 http://security.gentoo.org/glsa/glsa-200903-27.xml http://www.debian.org/security/2009/dsa-1730 http://www.mandriva.com/security/advisories?name=MDVSA-2009:061 http://www.openwall.com/lists/oss-security/2009/02/11/4 http://www.openwall.com/lists/oss-security/2009/02/11/5 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2008-4242
https://notcve.org/view.php?id=CVE-2008-4242
ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser. ProFTPD v1.3.1 interpreta como múltiples comandos los comandos largos de un cliente FTP, lo que permite a atacantes remotos llevar a cabo ataques de falsificación de petición en sitios cruzados (CSFR) y ejecutar comdos FTP de su elección a través de una URI ftp:// larga que aprovecha la sesión existente en la implementación de cliente FTP en un navegador web. • http://bugs.proftpd.org/show_bug.cgi?id=3115 http://secunia.com/advisories/31930 http://secunia.com/advisories/33261 http://secunia.com/advisories/33413 http://securityreason.com/achievement_securityalert/56 http://securityreason.com/securityalert/4313 http://www.debian.org/security/2008/dsa-1689 http://www.mandriva.com/security/advisories?name=MDVSA-2009:061 http://www.securityfocus.com/bid/31289 http://www.securitytracker.com/id?1020945 https://exchange.xforce.ibmcloud.com/vulnerabil • CWE-352: Cross-Site Request Forgery (CSRF) •