April 20, 2020

GHSL-2020-031: SQL injection in PureFTPd

Antonio Morales

Summary

The pw_pgsql_connect function does not properly sanitize SQL queries, leading to SQLi via the pgsql config file.

Product

PureFTPd

CVE

No CVE assigned

Tested Version

Development version - master branch (Feb 20, 2020)

Details: Broken SQL sanitizer in pw_pgsql_connect (SQLi via config file)

Two different bugs have been detected:

  • There is a mistake in pw_pgsql_escape_conninfo_ for the case '\' here. The current code snippet is re-introducing the single-quote.
  • The snprintf function is called with non-escaped strings (server, port, db, user, pw), instead of using escaped strings (escaped_server, escaped_db, escaped_user, escaped_pw) here. As a result, conninfo string is not being properly sanitized and it is possible to inject SQL code into this query.

Impact

This issue may lead to a local SQLi via pqsql config file.

Remediation

  • Fix switch-case statement here
  • Use properly escaped strings here

Coordinated Disclosure Timeline

This report is subject to our coordinated disclosure policy.

  • 20/02/2020: Report sent to Vendor
  • 16/03/2020: Vendor acknowledged report
  • 16/03/2020: Fixes reviewed and verified
  • 17/03/2020: Report published to public

Resources

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-031 in any communication regarding this issue.