Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability.
AnalysisAI
SQL injection in ProFTPD 1.3.9a and earlier allows remote attackers to execute arbitrary SQL commands when the 'UseReverseDNS on' configuration is enabled. The vulnerability exists in mod_wrap2_sql.c where attacker-controlled reverse DNS hostnames are passed unescaped into SQL queries during client access control checks. Exploitation complexity is high due to DNS character restrictions and specific configuration requirements. No active exploitation confirmed (not in CISA KEV), but upstream fix is available via GitHub commit 7666224. EPSS risk data not provided.
Technical ContextAI
ProFTPD's mod_wrap2_sql module implements TCP Wrappers-style access control using SQL databases. The sqltab_fetch_clients_cb() function performs reverse DNS lookups on connecting client IP addresses to resolve hostnames, then queries an SQL database to check access permissions. The CWE-89 SQL injection vulnerability occurs because the resolved hostname is concatenated directly into SQL queries without sanitization. The fix introduces sqltab_get_escaped_text() which calls mod_sql.c's sql_escapestr hook to properly escape user-controlled data before database operations. This affects installations using both mod_wrap2_sql for access control AND UseReverseDNS enabled, requiring mod_sql.c to be loaded. The attack surface is limited to reverse DNS responses, which are constrained by RFC-compliant DNS character sets (alphanumeric, hyphens, dots), though creative encoding may bypass these restrictions.
RemediationAI
Apply the upstream fix by upgrading to ProFTPD builds incorporating commit 766622456440fbca33abd7927c523673a11d1ed1 or later, which introduces proper SQL escaping via the sql_escapestr hook in mod_wrap2_sql.c (module version updated to 1.1). Source available at https://github.com/proftpd/proftpd/commit/766622456440fbca33abd7927c523673a11d1ed1. No tagged release version incorporating this fix is confirmed at time of analysis; administrators may need to build from source or await vendor-packaged updates. Immediate workaround: disable UseReverseDNS in proftpd.conf (set to 'off'), which eliminates the attack vector but sacrifices hostname-based access controls and may break configurations relying on DNS names in mod_wrap2_sql tables. Alternative mitigation: switch from mod_wrap2_sql to file-based mod_wrap2_file for access control, though this requires reconfiguring access policies and loses SQL-based centralized management. Ensure mod_sql.c is loaded if continuing to use mod_wrap2_sql, as the fix depends on the sql_escapestr symbol.
Same weakness CWE-89 – SQL Injection
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Fixed |
| openSUSE Leap 15.6 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27484
GHSA-jmg2-v72j-gmvc