FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-16 06:42:40 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
022a4c77-2da4-11e1-b356-00215c6a37bb	proftpd -- arbitrary code execution vulnerability with chroot The FreeBSD security advisory FreeBSD-SA-11:07.chroot reports: If ftpd is configured to place a user in a chroot environment, then an attacker who can log in as that user may be able to run arbitrary code(...). Proftpd shares the same problem of a similar nature. Discovery 2011-11-30 Entry 2011-12-23 Modified 2012-01-29 FreeBSD ge 7.3 lt 7.3_9 ge 7.4 lt 7.4_5 ge 8.1 lt 8.1_6 ge 8.2 lt 8.2_5 proftpd proftpd-mysql < 1.3.3g_1 proftpd-devel < 1.3.3.r4_3,1 SA-11:07.chroot http://seclists.org/fulldisclosure/2011/Nov/452
0f51f2c9-8956-11dd-a6fe-0030843d3802	proftpd -- Long Command Processing Vulnerability Secunia reports: The vulnerability is caused due to the application truncating an overly long FTP command, and improperly interpreting the remainder string as a new FTP command. This can be exploited to execute arbitrary FTP commands with the privileges of another user by e.g. tricking the user into following malicious link. Discovery 2008-09-22 Entry 2008-09-23 Modified 2010-05-12 proftpd proftpd-mysql < 1.3.2rc2 proftpd-devel < 1.3.20080922 CVE-2008-4242 CVE-2008-4247 http://secunia.com/advisories/31930/ http://bugs.proftpd.org/show_bug.cgi?id=3115
ca0841ff-1254-11de-a964-0030843d3802	proftpd -- multiple sql injection vulnerabilities Secunia reports: Some vulnerabilities have been reported in ProFTPD, which can be exploited by malicious people to conduct SQL injection attacks. The application improperly sets the character encoding prior to performing SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code in an environment using a multi-byte character encoding. An error exists in the "mod_sql" module when processing e.g. user names containing '%' characters. This can be exploited to bypass input sanitation routines and manipulate SQL queries by injecting arbitrary SQL code. Discovery 2009-02-06 Entry 2009-03-16 proftpd proftpd-mysql < 1.3.2 proftpd-devel le 1.3.20080922 CVE-2009-0542 CVE-2009-0543 http://secunia.com/advisories/33842/ http://bugs.proftpd.org/show_bug.cgi?id=3173 http://bugs.proftpd.org/show_bug.cgi?id=3124 http://milw0rm.com/exploits/8037

VuXML ID

Description

022a4c77-2da4-11e1-b356-00215c6a37bb

proftpd -- arbitrary code execution vulnerability with chroot

The FreeBSD security advisory FreeBSD-SA-11:07.chroot reports:

If ftpd is configured to place a user in a chroot environment, then an attacker who can log in as that user may be able to run arbitrary code(...).

Proftpd shares the same problem of a similar nature.

Discovery 2011-11-30
Entry 2011-12-23
Modified 2012-01-29
FreeBSD

ge 7.3 lt 7.3_9

ge 7.4 lt 7.4_5

ge 8.1 lt 8.1_6

ge 8.2 lt 8.2_5

proftpd
proftpd-mysql

< 1.3.3g_1

proftpd-devel

< 1.3.3.r4_3,1

SA-11:07.chroot
http://seclists.org/fulldisclosure/2011/Nov/452

0f51f2c9-8956-11dd-a6fe-0030843d3802

proftpd -- Long Command Processing Vulnerability

Secunia reports:

The vulnerability is caused due to the application truncating an overly long FTP command, and improperly interpreting the remainder string as a new FTP command. This can be exploited to execute arbitrary FTP commands with the privileges of another user by e.g. tricking the user into following malicious link.

Discovery 2008-09-22
Entry 2008-09-23
Modified 2010-05-12
proftpd
proftpd-mysql

< 1.3.2rc2

proftpd-devel

< 1.3.20080922

CVE-2008-4242
CVE-2008-4247
http://secunia.com/advisories/31930/
http://bugs.proftpd.org/show_bug.cgi?id=3115

ca0841ff-1254-11de-a964-0030843d3802

proftpd -- multiple sql injection vulnerabilities

Secunia reports:

Some vulnerabilities have been reported in ProFTPD, which can be exploited by malicious people to conduct SQL injection attacks.

The application improperly sets the character encoding prior to performing SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code in an environment using a multi-byte character encoding.

An error exists in the "mod_sql" module when processing e.g. user names containing '%' characters. This can be exploited to bypass input sanitation routines and manipulate SQL queries by injecting arbitrary SQL code.

Discovery 2009-02-06
Entry 2009-03-16
proftpd
proftpd-mysql

< 1.3.2

proftpd-devel

le 1.3.20080922

CVE-2009-0542
CVE-2009-0543
http://secunia.com/advisories/33842/
http://bugs.proftpd.org/show_bug.cgi?id=3173
http://bugs.proftpd.org/show_bug.cgi?id=3124
http://milw0rm.com/exploits/8037