COMMAND

    mod_sqlpw

SYSTEMS AFFECTED

    Proftpd

PROBLEM

    Joe  Miller  found  following.   The  mod_sqlpw module for ProFTPD
    caches  the  user  id  and  password information returned from the
    mysql database  when attempting  to verify  a password.   When the
    "user" command is  used to switch  to another account,  the cached
    password  is  not  cleard,  and  the  password  entered is checked
    against the cached password.  If  a user knows the password for  a
    valid account on  a ProFTPD system  using mod_sqlpw, they  may log
    into any other account in the database by doing the following:

        1. FTP to the host running ProFTPD/mod_sqlpw.
        2. At the login prompt, enter the user id of the known account
           "bob".
        3. When prompted for a password, enter an invalid password for
           the account "bob".  Authentication will fail.
        4. Type "user alice", where "alice" is another account in  the
           user database.
        5. When prompted  for a password,  enter the correct  password
           for "bob".

    At this point,  the user "bob"  is logged in  as the user  "alice"
    without knowing alice's password.

SOLUTION

    After looking  at this  a little  closer -  there's no  actually a
    working  exploit.   While  certainly  there's  a coding error (and
    possibly an exploit in there  somewhere) - we can't get  access to
    a user's account that we don't already know the password for.

    *Yes* it says that  "User A logged in"  when user B's password  is
    given BUT you still have to know the password for the account  you
    want to log into.

    Basically, You can't  get someone else's  account unless you  know
    their password.  And if you already know their password, then  you
    already have access  to their account  so there's no  real exploit
    here.