Package: proftpd-mysql Version: 1.3.0-19
Severity: critical If: -SQLAuthTypes contains PlainText, -RequireValidShell is off, -and there is no AuthOrder mod_sql.c defined then it's possible to login as a system user with password '*' or '!' For example the example configuration file on proftpd's website is vulnerable: http://www.proftpd.org/docs/configs/mysql_simple.conf I was able to download all MySQL-databases on my server, when logging in with username 'mysql' and password '!'
