ProFTPD AUTH Multiple Authentication Module Security Bypass Vulnerability
BID:23546
Info
ProFTPD AUTH Multiple Authentication Module Security Bypass Vulnerability
| Bugtraq ID: | 23546 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 18 2007 12:00AM |
| Updated: | Nov 15 2007 12:37AM |
| Credit: | Evgeni Golov is credited with the discovery of this vulnerability. |
| Vulnerable: |
Redhat Fedora Core7 ProFTPD Project ProFTPD 1.3 rc3 ProFTPD Project ProFTPD 1.3 a ProFTPD Project ProFTPD 1.3 .0rc2 ProFTPD Project ProFTPD 1.3 .0rc1 ProFTPD Project ProFTPD 1.3 ProFTPD Project ProFTPD 1.2.10 ProFTPD Project ProFTPD 1.2.9 rc3 ProFTPD Project ProFTPD 1.2.9 rc2 ProFTPD Project ProFTPD 1.2.9 rc1 ProFTPD Project ProFTPD 1.2.9 ProFTPD Project ProFTPD 1.2.8 rc2 ProFTPD Project ProFTPD 1.2.8 rc1 ProFTPD Project ProFTPD 1.2.8 ProFTPD Project ProFTPD 1.2.7 rc3 ProFTPD Project ProFTPD 1.2.7 rc2 ProFTPD Project ProFTPD 1.2.7 rc1 ProFTPD Project ProFTPD 1.2.7 ProFTPD Project ProFTPD 1.2.6 ProFTPD Project ProFTPD 1.2.5 rc1 ProFTPD Project ProFTPD 1.2.5 ProFTPD Project ProFTPD 1.2.4 ProFTPD Project ProFTPD 1.2.3 ProFTPD Project ProFTPD 1.2.2 rc3 ProFTPD Project ProFTPD 1.2.2 rc1 ProFTPD Project ProFTPD 1.2.2 ProFTPD Project ProFTPD 1.2.1 ProFTPD Project ProFTPD 1.2 pre9 ProFTPD Project ProFTPD 1.2 pre8 ProFTPD Project ProFTPD 1.2 pre7 ProFTPD Project ProFTPD 1.2 pre6 ProFTPD Project ProFTPD 1.2 pre5 ProFTPD Project ProFTPD 1.2 pre4 ProFTPD Project ProFTPD 1.2 pre3 ProFTPD Project ProFTPD 1.2 pre2 ProFTPD Project ProFTPD 1.2 pre11 ProFTPD Project ProFTPD 1.2 pre10 ProFTPD Project ProFTPD 1.2 pre1 ProFTPD Project ProFTPD 1.2 .0rc3 ProFTPD Project ProFTPD 1.2 .0rc2 ProFTPD Project ProFTPD 1.2 .0rc1 ProFTPD Project ProFTPD 1.2 Mandriva Linux Mandrake 2007.1 x86_64 Mandriva Linux Mandrake 2007.1 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 4.0 |
| Not Vulnerable: | |
Discussion
ProFTPD AUTH Multiple Authentication Module Security Bypass Vulnerability
ProFTPD is reported prone to a security-restriction-bypass vulnerability because of an error in the AUTH API.
Attackers may exploit this issue to bypass security controls when multiple modules are configured with disparate authentication policies.
ProFTPD 1.2 and 1.3 branches are reported vulnerable; other versions may be affected as well.
NOTE: The latest version in the CVS repository reportedly addresses this issue.
ProFTPD is reported prone to a security-restriction-bypass vulnerability because of an error in the AUTH API.
Attackers may exploit this issue to bypass security controls when multiple modules are configured with disparate authentication policies.
ProFTPD 1.2 and 1.3 branches are reported vulnerable; other versions may be affected as well.
NOTE: The latest version in the CVS repository reportedly addresses this issue.
Exploit / POC
ProFTPD AUTH Multiple Authentication Module Security Bypass Vulnerability
Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
Solution / Fix
ProFTPD AUTH Multiple Authentication Module Security Bypass Vulnerability
Solution:
The vendor has addressed this vulnerability in the latest CVS versions. Please see the vendor references for details.
Solution:
The vendor has addressed this vulnerability in the latest CVS versions. Please see the vendor references for details.
References
ProFTPD AUTH Multiple Authentication Module Security Bypass Vulnerability
References:
References: