Reproduceable under Gentoo with Proftpd 1.3.1 - But not under debian etch with Proftpd 1.3.0 The newst Proftpd in Gentoo is 1.3.2-rc2, but there seems to be an Mysql-related patch in the build-file now. I also tested vanilla 1.3.2-rc4 and 1.3.2, with all three the sql-injection is not reproduceable for me and the query is escaped. It is also possible to inject your own strings (and breaking the proftpd-cage) with an user name like this: %') and 1=2 union (select <name>,1,<uid>,<gid>,0x2F,0x2F62696E2F62617368); -- a Name can be anything, uid and gid let you select any username with access to the complete filesystem. Only if you use uid=0 and gid=0 root becomes nobody and nogroup. Other values seem to work. - B. Milde
