GHSL-2020-031: SQL injection in PureFTPd

Summary

The pw_pgsql_connect function does not properly sanitize SQL queries, leading to SQLi via the pgsql config file.

Product

PureFTPd

CVE

No CVE assigned

Tested Version

Development version - master branch (Feb 20, 2020)

Details: Broken SQL sanitizer in pw_pgsql_connect (SQLi via config file)

Two different bugs have been detected:

• There is a mistake in pw_pgsql_escape_conninfo_ for the case '\' here. The current code snippet is re-introducing the single-quote.
• The snprintf function is called with non-escaped strings (server, port, db, user, pw), instead of using escaped strings (escaped_server, escaped_db, escaped_user, escaped_pw) here. As a result, conninfo string is not being properly sanitized and it is possible to inject SQL code into this query.

Impact

This issue may lead to a local SQLi via pqsql config file.

Remediation

• Fix switch-case statement here
• Use properly escaped strings here

Coordinated Disclosure Timeline

This report is subject to our coordinated disclosure policy.

• 20/02/2020: Report sent to Vendor
• 16/03/2020: Vendor acknowledged report
• 16/03/2020: Fixes reviewed and verified
• 17/03/2020: Report published to public

Resources

• Bug1.png: 1st Vulnerable code snippet
• Bug2.png: 2nd Vulnerable code snippet
• Step1.png: Configuration file example
• Step2.png: "conninfo" string value (GDB)

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-031 in any communication regarding this issue.