CVE-2010-4652

Priority
Medium
Description
Heap-based buffer overflow in the sql_prepare_where function
(contrib/mod_sql.c) in ProFTPD before 1.3.3d, when mod_sql is enabled,
allows remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via a crafted username containing substitution tags,
which are not properly handled during construction of an SQL query.
References
Package
Upstream:released (1.3.3a-6)
Ubuntu 10.04 LTS (Lucid Lynx):ignored (reached end-of-life)
Ubuntu 12.04 LTS (Precise Pangolin):released (1.3.3d-4)
Ubuntu 12.10 (Quantal Quetzal):released (1.3.3d-4)
Ubuntu 13.04 (Raring Ringtail):released (1.3.3d-4)
Ubuntu 13.10 (Saucy Salamander):released (1.3.3d-4)
Ubuntu 14.04 LTS (Trusty Tahr):released (1.3.3d-4)
More Information

Valid XHTML 1.0 Strict

Updated: 2013-12-20 21:16:24 UTC (commit 7585)