Critical SQL Injection Flaw in ProFTPD Exposes Servers to Remote Attacks
A severe SQL injection vulnerability (CVE-2026-42167) has been discovered in ProFTPD, a widely used FTP server deployed across Linux distributions and web hosting platforms. With a CVSS score of 8.1, the flaw affects the mod_sql extension, which enables database-backed authentication and logging.
The vulnerability stems from a logical error in the is_escaped_text() function, which processes logging variables like %U (username). Attackers can exploit this by crafting a username that begins and ends with a single quote tricking the system into bypassing sanitization and executing unauthorized SQL commands.
Potential Impacts:
- Authentication Bypass: If pre-authentication logging is enabled, attackers can inject a backdoor user with full system privileges.
- Remote Code Execution (RCE): When ProFTPD connects to a PostgreSQL database with superuser privileges, attackers can abuse the COPY TO PROGRAM feature to execute arbitrary code on the host.
- Data Theft: Blind SQL injection techniques may allow exfiltration of sensitive data, including plaintext passwords or hashes.
The flaw’s severity varies based on server configuration, but its widespread use in hosting environments amplifies the risk. ProFTPD version 1.3.9a patches the issue, while temporary mitigations include disabling mod_sql logging. Security teams are advised to monitor FTP and database activity for signs of exploitation, such as unauthorized user creation or unusual queries.
Source: https://cybersecuritynews.com/proftpds-sql-injection-vulnerability/
ProFTPD TPRM report: https://www.rankiteo.com/company/atack-whyte-knight-enterprises-awke-llp
"id": "ata1777537525",
"linkid": "atack-whyte-knight-enterprises-awke-llp",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Web Hosting, IT Infrastructure',
'location': 'Global',
'name': 'ProFTPD',
'type': 'Software'}],
'attack_vector': 'Remote',
'data_breach': {'data_exfiltration': 'Possible via blind SQL injection',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Plaintext passwords', 'Hashes']},
'description': 'A severe SQL injection vulnerability (CVE-2026-42167) has '
'been discovered in ProFTPD, a widely used FTP server deployed '
'across Linux distributions and web hosting platforms. The '
'flaw affects the mod_sql extension, which enables '
'database-backed authentication and logging. The vulnerability '
'stems from a logical error in the is_escaped_text() function, '
'which processes logging variables like %U (username). '
'Attackers can exploit this by crafting a username that begins '
'and ends with a single quote, tricking the system into '
'bypassing sanitization and executing unauthorized SQL '
'commands.',
'impact': {'data_compromised': 'Sensitive data, including plaintext passwords '
'or hashes',
'operational_impact': 'Authentication bypass, remote code '
'execution, data theft',
'systems_affected': 'ProFTPD servers with mod_sql extension '
'enabled'},
'post_incident_analysis': {'corrective_actions': 'Patch vulnerability, review '
'and harden mod_sql '
'configurations',
'root_causes': 'Logical error in is_escaped_text() '
'function in mod_sql extension'},
'recommendations': 'Upgrade to ProFTPD version 1.3.9a, disable mod_sql '
'logging if patching is not immediately possible, monitor '
'for exploitation attempts.',
'references': [{'source': 'CVE-2026-42167'}],
'response': {'containment_measures': 'Disable mod_sql logging, upgrade to '
'ProFTPD version 1.3.9a',
'enhanced_monitoring': 'Monitor FTP and database activity for '
'signs of exploitation (e.g., '
'unauthorized user creation, unusual '
'queries)',
'remediation_measures': 'Apply patch (ProFTPD version 1.3.9a)'},
'title': 'Critical SQL Injection Flaw in ProFTPD Exposes Servers to Remote '
'Attacks',
'type': 'SQL Injection',
'vulnerability_exploited': 'CVE-2026-42167'}