# Vulnerability Summary: mod_sql SQL Injection Vulnerability (#2052) ## Vulnerability Overview In the `mod_sql` module, a logic error in the `is_escaped_text()` function allows attackers to trigger SQL injection by crafting specific user inputs (such as usernames). **Core Cause:** The `is_escaped_text()` function is intended to determine whether a string has already been escaped. However, if a string starts with a single quote, ends with a single quote, and contains no single quotes in between, the function incorrectly returns `TRUE` (assuming it is already escaped). Consequently, the `sql_resolved_append_text()` function skips the escaping process and directly concatenates the unescaped user input into the SQL statement. **Exploitation Conditions:** Variables controlled by the attacker (such as `%U` for username) are included in SQL logging statements. ## Impact Scope - **Affected Module:** `mod_sql` - **Affected Versions:** 1.3.7a, 1.3.7b, 1.3.8a, and earlier versions (vulnerability introduced in Issue #1149). - **Potential Impact:** - Execution of arbitrary SQL statements. - Execution of arbitrary code via `COPY TO PROGRAM`. - Potential authentication bypass if the user possesses arbitrary privileges and the password is known. - Access to unexpected files on the disk. - **CVE Number:** CVE-2026-42167 ## Remediation - **Official Fix:** The developer has fixed the issue and backported the patch. - The fix has been merged into the 1.3.9 branch. - It is recommended to upgrade to supported versions such as 1.3.7, 1.3.8, or 1.3.8 ProFTPD. - **Temporary Mitigation (for cases where upgrading is not possible):** Use the `mod_rewrite` module to scan usernames for suspicious characters. **Temporary Mitigation POC Code:** ```apache RewriteEngine on RewriteLog /var/log/proftpd/rewrite.log RewriteCond %U USER # If your username has these characters, that's a problem. RewriteRule \(\{|\}.* EXPL_USERNAME ``` *Note: This mitigation is effective only if the `mod_rewrite` module is loaded after `mod_sql` or loaded via `LoadModule`.* ## Vulnerability Exploitation Code (POC) **1. Trigger Logic Analysis:** When the username is `'() (SELECT 1) ||'`: - `is_escaped_text()` returns `TRUE` (because it starts with `'`, ends with `'`, and contains no `'` in between). - `sql_resolved_append_text()` skips the escaping step. **2. Injection Result:** Assuming the logging configuration is: ```sql SQLNamedQuery log_activity INSERT "%U", "%h", "%a" activity_log ``` The injected SQL statement becomes: ```sql INSERT ''() (SELECT 1) ||'', ... ``` The matching single quotes cause the SQL parser to interpret this as: empty string + result set `(SELECT 1)` + empty string. **3. Other Vulnerable Variables:** In addition to `%U` (username), the following variables may also be affected: - `%h` (hostname) - `%R` (RENAME_FROM)