The pw_pgsql_connect
function does not properly sanitize SQL queries, leading to SQLi via the pgsql
config file.
PureFTPd
No CVE assigned
Development version - master branch (Feb 20, 2020)
pw_pgsql_connect
(SQLi via config file)Two different bugs have been detected:
pw_pgsql_escape_conninfo_
for the case '\' here. The current code snippet is re-introducing the single-quote.snprintf
function is called with non-escaped strings (server
, port
, db
, user
, pw
), instead of using escaped strings (escaped_server
, escaped_db
, escaped_user
, escaped_pw
) here.
As a result, conninfo
string is not being properly sanitized and it is possible to inject SQL code into this query.This issue may lead to a local SQLi via pqsql
config file.
This report is subject to our coordinated disclosure policy.
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).
You can contact the GHSL team at securitylab@github.com
, please include the GHSL-2020-031
in any communication regarding this issue.