CVE-2007-2165

The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication, as demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved from /etc/passwd.

Published: Apr 22, 2007
Updated: Apr 13, 2023
CVE: CVE-2007-2165
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
proftpd_project / proftpd	-	1.3.0_rc1.x

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419255
http://bugs.proftpd.org/show_bug.cgi?id=2922
http://osvdb.org/34602
http://secunia.com/advisories/24867
http://secunia.com/advisories/25724
http://secunia.com/advisories/27516
http://securitytracker.com/id?1017931
http://www.mandriva.com/security/advisories?name=MDKSA-2007:130
http://www.securityfocus.com/bid/23546
http://www.vupen.com/english/advisories/2007/1444
https://bugzilla.redhat.com/show_bug.cgi?id=237533
https://exchange.xforce.ibmcloud.com/vulnerabilities/33733
https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00065.html

Vulnerability Database

289,599

CVE-2007-2165