Authentication Delay Username Enumeration Vulnerability

07/09/10
CVE 2004-1602
A timing attack vulnerability exists in ProFTPD that could allow an attacker to enumerate the login names of users with accounts on the system.

Server Username Handling SQL Injection

02/20/09
CVE 2009-0542
A vulnerability exists in ProFTPD that could be exploited by remote attackers to conduct SQL injection attacks on the server. This flaw is due to improper validation of a user-supplied username string before being used in an SQL query. A remote unauthenticated attacker can trigger this vulnerability by sending a malicious username to the target ProFTPD server and gain the privileges of a legitimate user.

Long Command Handling Security

10/03/08
CVE 2008-4242
The ProFTPD 1.3.1 and prior is prone to a security vulnerability, which can be exploited by malicious people to conduct cross-site request forgery attacks. The vulnerability is caused due to the application truncating an overly long FTP command, and improperly interpreting the remainder string as a new FTP command.

Auth API Multiple Authentication Modules Security Bypass

07/02/07
CVE 2007-2165
The Auth API in ProFTPD 1.3.1rc2 and 1.3.0a and prior, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication.

Additional vulnerability in ProFTPD 1.3.0a

12/22/06
CVE 2006-6563
ProFTP version 1.3.0a and prior have a vulnerability in the mod_ctrls module. This vulnerability allows for a local stack based buffer overflow. ProFTP must be compiled with the mod_ctrls support and the module must be enabled.

Vulnerabilities in ProFTPD 1.3.0a

12/01/06
CVE 2006-6170
CVE 2006-6171
ProFTP version 1.3.0a and prior have two vulnerabilities, one when the mod_tls module is used and the other when the CommandBufferSize option is used. The first causes a buffer overflow and remote code execution, the second causes a buffer underflow which has unknown effects.

.message file overflows

11/30/06
CVE 2006-5815
ProFTP is subject to a vulnerability caused by an overflow in the .message files that can be set to display whenever a user enters a directory. To be vulnerable to this vulnerability, an attacker must have authenticated access (including anonymous) and the system must be set to display .message files on entering directories. Versions prior to 1.3.0a are vulnerable.

mod_radius Buffer Overflow

02/14/06
CVE 2005-4816
ProFTPD's mod_radius is vulnerable to a buffer overflow issue due to insufficient boundary checking. This only applies if mod_radius has been enabled. ProFTPD versions 1.3.0rc2 and earlier are vulnerable.

Shutdown Format String Vulnerability

08/04/05
CVE 2005-2390
ProFTPD is affected by a format string vulnerability when displaying a shutdown message containing the name of the current directory. An FTP user could execute arbitrary commands by creating a specially crafted directory name containing format string characters, and being in that directory when the shutdown message is sent. ProFTPD 1.3.0rc1 and earlier are affected by this vulnerability if the shutdown message contains %C, %R, or %U.

A second format string vulnerability affects the same versions of ProFTPD if the SQLShowInfo directive is set and an FTP user can control the contents of the database.

CIDR Access Control Rule Bypass

05/05/04
CVE 2004-0432
A flaw introduced in ProFTPD 1.2.9 causes Allow and Deny directives containing CIDR addresses (for example, 172.16.0.0/16) to be treated as AllowAll. This flaw could allow remote users to be granted access to files even if their address is specifically denied. ProFTPD 1.2.9 through 1.2.10rc1 are affected by this vulnerability if CIDR addresses are used in access control lists.

ASCII mode buffer overflow

09/23/03
CVE 2003-0831
During ASCII mode file transfers, ProFTPD examines file data in 1024-byte chunks for newline characters. A buffer overflow condition in this procedure could allow a remote attacker to execute arbitrary commands by uploading a specially crafted file to the server, and then downloading the same file.

This vulnerability can only be exploited remotely if the attacker has access to a valid FTP account on the server, with the ability to upload files from that account. The anonymous account can be used for this purpose if it is enabled and configured to allow file uploads. Although ProFTPD normally downgrades itself to an unprivileged account, it is possible to bypass this safeguard, thus allowing code execution with root privileges.

03/05/04
CVE 2004-0346
A version of ProFTPD containing a fix for the above vulnerability was released on September 23, 2003. However, the patch introduced a new off-by-one buffer overflow, which, together with an existing off-by-one buffer overflow, leads to a two-byte buffer overflow condition which could allow an authenticated user to gain root access. ProFTPD versions prior to 1.2.9 rc3 are affected.

setproctitle vulnerability

CVE 2000-0574
A missing format string in the setproctitle function call could allow an attacker to gain root access by a format attack. ProFTPD prior to 1.2.0 is known to be vulnerable to this attack.

Multiple vulnerabilities in ProFTPD

CVE 1999-0911
CVE 2001-0136
CVE 2001-0318
Multiple vulnerabilities affecting ProFTPD could be used to create a denial of service or execute arbitrary code on the server.

01/18/02
CVE 2001-1501
The first problem is a denial of service which results from a command containing excessive globbing. By issuing a list command with an argument containing many repetitions of the "*/.." string, for example, an attacker could cause the server to consume all available memory, thus crashing the FTP process or the server. ProFTPD version 1.2.1 and earlier are affected by this vulnerability.

The next two problems are memory leaks, one in the SIZE command and another in the USER command, which could be exploited to consume excessive amounts of memory on the system, leading to a denial of service. ProFTPD 1.2.0 prior to rc3, including all pre-release versions, are affected by these two vulnerabilities.

The last problem is a format string vulnerability which could be used to execute arbitrary code on the system. This exploit is theoretically possible but very difficult to execute in practice. ProFTPD 1.2.0 prior to rc3, including all pre-release versions, are affected by this vulnerability.

Palmetto Buffer Overflow

Another solution would be to obtain the latest fixed or patch versions of ftpd from your vendor.

In some cases, disallowing anonymous ftp access, or removing write permissions from all directories accessible by anonymous ftp could serve as a workaround. However, this will only be an effective solution for those vulnerabilities which, as noted above, require the attacker to create files or directories on the server. You will still need to upgrade ProFTPD to fix the other vulnerabilities.

The Server Username Handling SQL Injection vulnerability was reported in Bugtraq ID 33722.

The Long Command Handling Security vulnerability was reported in Secunia Advisory SA31930.

The auth API multiple authentication modules security bypass was reported in Secunia Advisory SA24867.

The additional 1.3.0a vulnerabilities were reported in Bugtraq ID 21587.

The 1.3.0a vulnerabilities were reported in Secunia Advisory SA22821 and Secunia Advisory SA23141.

The .message vulnerability was reported in Bugtraq ID 20992.