CVE-2007-2165 - The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are confi

CVE-2007-2165

Summary

The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication, as demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved from /etc/passwd.

References

Vulnerable Configurations

cpe:2.3:a:proftpd_project:proftpd:*:*:*:*:*:*:*:*
cpe:2.3:a:proftpd_project:proftpd:*:*:*:*:*:*:*:*

CVSS

Base:	5.1 (as of 29-07-2017 - 01:31)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	HIGH	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:H/Au:N/C:P/I:P/A:P

refmap via4

bid	23546
confirm	http://bugs.proftpd.org/show_bug.cgi?id=2922 https://bugzilla.redhat.com/show_bug.cgi?id=237533
fedora	FEDORA-2007-2613
mandriva	MDKSA-2007:130
misc	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419255
osvdb	34602
sectrack	1017931
secunia	24867 25724 27516
vupen	ADV-2007-1444
xf	proftpd-authapi-security-bypass(33733)

Last major update

29-07-2017 - 01:31

Published

22-04-2007 - 19:19

Last modified

29-07-2017 - 01:31