Heap-based buffer overflow in the sql_prepare_where function
(contrib/mod_sql.c) in ProFTPD before 1.3.3d, when mod_sql is enabled,
allows remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via a crafted username containing substitution tags,
which are not properly handled during construction of an SQL query.
Updated: 2016-01-26 17:38:04 UTC (commit 10507)