CVE-2010-4652

Published: 02 February 2011

Heap-based buffer overflow in the sql_prepare_where function (contrib/mod_sql.c) in ProFTPD before 1.3.3d, when mod_sql is enabled, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted username containing substitution tags, which are not properly handled during construction of an SQL query.

Priority

Medium

Status

Package Release Status
proftpd-dfsg
Launchpad, Ubuntu, Debian
Upstream
Released (1.3.3a-6)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.3.3d-4)