ProFTPD: Code injection via mod_sql possible

A vulnerability in the FTP server ProFTPD can lead to the execution of injected malicious code. The security flaw is found in the included mod_sql. A proof-of-concept exploit is already available.

According to the vulnerability description, mod_sql in ProFTPD versions prior to 1.3.10rc1 is affected by the security vulnerability. Through the transmitted username, malicious actors from the network can inject arbitrary SQL commands and malicious code without prior authentication. This is possible in scenarios that log USER requests with extensions like “%U” and where the SQL backend allows commands, for example, “COPY TO PROGRAM” (CVE-2026-42167, CVSS 8.1, Risk “high”).

Updated Software

ProFTPD 1.3.10rc1 was released on Monday and closes the security vulnerability, as shown in the release notes. The developers have also programmed a backport of the security fix; ProFTPD 1.3.9a also patches the security vulnerability.

However, it is unclear which systems are specifically impacted. Some major distributions, like Ubuntu, offer mod_sql for ProFTPD as an additional installation package, so it is not necessarily included in the standard installation. Administrators should therefore check if they are using mod_sql at all, for example, for logging into databases.

The Internet-wide service database Shodan currently lists around 690,000 ProFTPD instances worldwide. Most of them, over 133,000, are running in Germany, with the USA following in second place.

ProFTPD has been stable for a long time, and major security vulnerabilities are rarely found in it. However, around the end of November 2024, a privilege escalation vulnerability in ProFTPD was discovered. At that time, mod_sql was also the cause of the security warning. If mod_sql was used in ProFTPD, it allowed unauthorized access to files and folders with root group privileges (GID 0).

(dmk)