ProFTPD Character Encoding SQL Injection Vulnerability

mikeshinn · **Posted:** Sat Feb 07, 2009 7:22 pm

http://www.proftpd.org/docs/RELEASE_NOTES-1.3.2
http://bugs.proftpd.org/show_bug.cgi?id=3173

Affects ProFTPD 1.3.1 (but NOT earlier versions or 1.3.2) that have NLS
support enabled. If your LANG environment variable uses the "C" or "POSIX"
locale, you are not vulnerable.

Successful exploitation requires that NLS support is enabled.

Solution:
Update to version 1.3.2.

breun · **Posted:** Sun Feb 08, 2009 8:16 am

Does Plesk's ProFTPd have NLS (whatever it is) enabled by default? Or how can we check? And if one need to upgrade, how would we go about doing that so we don't mess up Plesk?

laughingbuddha · **Posted:** Sat Feb 28, 2009 10:29 am

Yeah ditto. I got no idea what NLS is, or if it's a default.

nobody · **Joined:** Sun Mar 29, 2009 6:52 pm **Posts:** 348

I googled it. And If what I found is correct NLS has to do with locale.
And also I found that in plesk 8.3 it is a default ...

Offcourse source is google.

The atomic repository instantly installs the 1.3.2 and the problem is solved

hostingguy · **Joined:** Mon Oct 29, 2007 6:51 pm **Posts:** 606

Their 1.3.2 also doesnt have qouta support last I tried, so anyone using quota support in FTP will be broken, and the FTP server wont spawn on demand processes.

scott · **Posted:** Thu Apr 02, 2009 5:23 pm

It does now

As of 1.3.2-5

aus-city · **Joined:** Thu Oct 26, 2006 11:56 pm **Posts:** 665

Thanks Scott!

However I can't find the SRPM for -5 can you check?

Thanks!

ProFTPD Character Encoding SQL Injection Vulnerability

Who is online