MitreCVELIST:CVE-2007-2165CVE-2007-2165
The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication, as demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved from /etc/passwd.
References
bugs.debian.org/cgi-bin/bugreport.cgi?bug=419255
bugs.proftpd.org/show_bug.cgi?id=2922
osvdb.org/34602
secunia.com/advisories/24867
secunia.com/advisories/25724
secunia.com/advisories/27516
securitytracker.com/id?1017931
www.mandriva.com/security/advisories?name=MDKSA-2007:130
www.securityfocus.com/bid/23546
www.vupen.com/english/advisories/2007/1444
bugzilla.redhat.com/show_bug.cgi?id=237533
exchange.xforce.ibmcloud.com/vulnerabilities/33733
www.redhat.com/archives/fedora-package-announce/2007-November/msg00065.html
Related
