This host is running ProFTPD Server and is prone to remote SQL Injection vulnerability.

Successful exploitation will allow remote attackers to execute arbitrary SQL commands, thus gaining access to random user accounts.

Upgrade to the latest version 1.3.2rc3, http://www.proftpd.org/

This flaw occurs because the server performs improper input sanitising, - when a %(percent) character is passed in the username, a single quote (') gets introduced during variable substitution by mod_sql and this eventually allows for an SQL injection during login. - when NLS support is enabled, a flaw in variable substition feature in mod_sql_mysql and mod_sql_postgres may allow an attacker to bypass SQL injection protection mechanisms via invalid, encoded multibyte characters.

ProFTPD Server version 1.3.1 through 1.3.2rc2

• http://www.securityfocus.com/archive/1/archive/1/500833/100/0/threaded
• http://www.securityfocus.com/archive/1/archive/1/500851/100/0/threaded

---

Updated on 2017-03-28