ProFTPD SQL Injection Vulnerability in mod_wrap2_sql via Reverse DNS Lookup

A SQL injection vulnerability has been identified in ProFTPD versions through 1.3.9a, specifically in the mod_wrap2_sql component. The issue arises in the sqltab_fetch_clients_cb() function, where unescaped domain names from reverse DNS lookups are injected into SQL queries. This vulnerability is exploitable when 'UseReverseDNS on' is enabled, allowing remote attackers to execute arbitrary SQL commands. The vulnerability has been addressed in version 1.3.10.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection, which could lead to authentication bypass or unauthorized data extraction from the database.

Reproduction

To reproduce this vulnerability, enable the 'UseReverseDNS on' option in the ProFTPD configuration. An attacker must then control the reverse DNS hostname of the connecting IP, ensuring it complies with DNS naming conventions. When the server performs a reverse lookup, the injected SQL commands are executed without proper sanitization, exploiting the application's SQL query handling.

Remediation

Users can upgrade to ProFTPD version 1.3.10, where this vulnerability has been fixed.