11558 2007-04-18 15:13:02 +0400 ProFTPD Auth API Multiple Authentication Modules Security Issue 2008-02-28 15:41:39 +0300 1 1 4 Development Sisyphus proftpd unstable all Linux CLOSED FIXED http://bugs.proftpd.org/show_bug.cgi?id=2922 P2 normal --- 1 vvk lakostis ender thresh qa-sisyphus oldest_to_newest 49069 0 vvk 2007-04-18 15:13:03 +0400 SOFTWARE: ProFTPD 1.3.x http://secunia.com/product/5430/ ProFTPD 1.2.x http://secunia.com/product/1250/ DESCRIPTION: A security issue has been reported in ProFTPD, which potentially can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to an error within ProFTPD's Auth API. If multiple authentication modules are used, it is possible that one module provides data, which is then authenticated against another module. This can e.g. be exploited to bypass certain security restrictions if authentication modules are configured with different policies. SOLUTION: Fixed in the CVS repository. PROVIDED AND/OR DISCOVERED BY: Evgeni Golov ORIGINAL ADVISORY: ProFTPD: http://bugs.proftpd.org/show_bug.cgi?id=2922 Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419255 50286 1 lakostis 2007-05-16 15:33:52 +0400 Fixed in proftpd-1.3.0rel-alt2.