Heap-based buffer overflow in the sql_prepare_where function
(contrib/mod_sql.c) in ProFTPD before 1.3.3d, when mod_sql is enabled,
allows remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via a crafted username containing substitution tags,
which are not properly handled during construction of an SQL query.
Updated: 2015-07-29 20:39:13 UTC (commit 9756)