It is becoming clear that due to a massive adoption of open-source SQL-based databases such as MySQL, more products are moving towards a transparent integration for authentication and data retrieving purposes. In some cases, even non-web applications can take advantage of that.

First question (or maybe the second) that come up in our mind is: Are they also vulnerable to the same class of attacks a web application is? ProFTPd latest vulnerability seems to be answering that question. An integration with MySQL libraries to allow user authentication based on SQL tables have also introduced a SQL injection vulnerability that can be easily exploited by any individual with FTP access.

Due to the nature of the attack, you can get yourself authenticated by returning a true statement or you can even control what kind of username and privileges you want to impersonate (using “LIMIT” statement to retrieve the correct account).

SANS has a quick analysis also available in their “Handler’s Diary“.