FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-29 10:45:39 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
022a4c77-2da4-11e1-b356-00215c6a37bbproftpd -- arbitrary code execution vulnerability with chroot

The FreeBSD security advisory FreeBSD-SA-11:07.chroot reports:

If ftpd is configured to place a user in a chroot environment, then an attacker who can log in as that user may be able to run arbitrary code(...).

Proftpd shares the same problem of a similar nature.


Discovery 2011-11-30
Entry 2011-12-23
Modified 2012-01-29
FreeBSD
ge 7.3 lt 7.3_9

ge 7.4 lt 7.4_5

ge 8.1 lt 8.1_6

ge 8.2 lt 8.2_5

proftpd
proftpd-mysql
< 1.3.3g_1

proftpd-devel
< 1.3.3.r4_3,1

SA-11:07.chroot
http://seclists.org/fulldisclosure/2011/Nov/452
ca0841ff-1254-11de-a964-0030843d3802proftpd -- multiple sql injection vulnerabilities

Secunia reports:

Some vulnerabilities have been reported in ProFTPD, which can be exploited by malicious people to conduct SQL injection attacks.

The application improperly sets the character encoding prior to performing SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code in an environment using a multi-byte character encoding.

An error exists in the "mod_sql" module when processing e.g. user names containing '%' characters. This can be exploited to bypass input sanitation routines and manipulate SQL queries by injecting arbitrary SQL code.


Discovery 2009-02-06
Entry 2009-03-16
proftpd
proftpd-mysql
< 1.3.2

proftpd-devel
le 1.3.20080922

CVE-2009-0542
CVE-2009-0543
http://secunia.com/advisories/33842/
http://bugs.proftpd.org/show_bug.cgi?id=3173
http://bugs.proftpd.org/show_bug.cgi?id=3124
http://milw0rm.com/exploits/8037
0f51f2c9-8956-11dd-a6fe-0030843d3802proftpd -- Long Command Processing Vulnerability

Secunia reports:

The vulnerability is caused due to the application truncating an overly long FTP command, and improperly interpreting the remainder string as a new FTP command. This can be exploited to execute arbitrary FTP commands with the privileges of another user by e.g. tricking the user into following malicious link.


Discovery 2008-09-22
Entry 2008-09-23
Modified 2010-05-12
proftpd
proftpd-mysql
< 1.3.2rc2

proftpd-devel
< 1.3.20080922

CVE-2008-4242
CVE-2008-4247
http://secunia.com/advisories/31930/
http://bugs.proftpd.org/show_bug.cgi?id=3115
3f851b22-89fb-11db-a937-003048116330proftpd -- remote code execution vulnerabilities

The proftpd development team reports that several remote buffer overflows had been found in the proftpd server.


Discovery 2006-11-10
Entry 2006-12-21
proftpd
proftpd-mysql
< 1.3.0_5

CVE-2006-5815
CVE-2006-6170
cca97f5f-7435-11db-91de-0008743bf21aproftpd -- Remote Code Execution Vulnerability

FrSIRT reports:

A vulnerability has been identified in ProFTPD, which could be exploited by attackers to cause a denial of service or execute arbitrary commands. This flaw is due to a buffer overflow error in the "main.c" file where the "cmd_buf_size" size of the buffer used to handle FTP commands sent by clients is not properly set to the size configured via the "CommandBufferSize" directive, which could be exploited by attackers to compromise a vulnerable server via a specially crafted FTP command.


Discovery 2006-11-10
Entry 2006-11-14
Modified 2006-11-15
proftpd
proftpd-mysql
le 1.3.0_2

http://www.frsirt.com/english/advisories/2006/4451
c28f4705-043f-11da-bc08-0001020eed82proftpd -- format string vulnerabilities

The ProFTPD release notes states:

sean found two format string vulnerabilities, one in mod_sql's SQLShowInfo directive, and one involving the 'ftpshut' utility. Both can be considered low risk, as they require active involvement on the part of the site administrator in order to be exploited.

These vulnerabilities could potentially lead to information disclosure, a denial-of-server situation, or execution of arbitrary code with the permissions of the user running ProFTPD.


Discovery 2005-07-26
Entry 2005-08-03
proftpd
proftpd-mysql
< 1.3.0.rc2

CVE-2005-2390
http://www.gentoo.org/security/en/glsa/glsa-200508-02.xml
http://www.proftpd.org/docs/RELEASE_NOTES-1.3.0rc2