CVE-2026-42167 Overview
CVE-2026-42167 is a SQL Injection vulnerability in the mod_sql module of ProFTPD before version 1.3.10rc1 that allows remote attackers to execute arbitrary code. The vulnerability exists in scenarios where USER request logging is enabled with username expansion (such as %U), and the SQL backend supports command execution capabilities like PostgreSQL's COPY TO PROGRAM.
Critical Impact
Remote attackers can achieve arbitrary code execution on vulnerable ProFTPD servers without authentication by crafting malicious usernames that exploit SQL injection in the logging functionality.
Affected Products
- ProFTPD versions before 1.3.10rc1
- ProFTPD installations using mod_sql with USER request logging enabled
- Configurations using SQL backends that support command execution (e.g., PostgreSQL with COPY TO PROGRAM)
Discovery Timeline
- April 28, 2026 - CVE-2026-42167 published to NVD
- April 29, 2026 - Last updated in NVD database
Technical Details for CVE-2026-42167
Vulnerability Analysis
This vulnerability is classified as CWE-89 (SQL Injection) and represents a critical security flaw in how ProFTPD's mod_sql module handles user-supplied input during authentication logging. The attack exploits the intersection of two features: FTP authentication logging with username expansion and SQL backend command execution capabilities.
When ProFTPD is configured to log USER requests with expansions like %U, the username provided by the client is incorporated into SQL statements. If proper sanitization is not performed, an attacker can inject malicious SQL commands through the username field. When combined with a database backend that supports command execution—such as PostgreSQL's COPY TO PROGRAM feature—this SQL injection can be escalated to full remote code execution on the server.
The attack is particularly dangerous because it occurs during the authentication phase, meaning no valid credentials are required. The attacker simply needs to connect to the FTP service and provide a specially crafted username.
Root Cause
The root cause is improper input validation and sanitization of the username field before it is used in SQL logging statements. The mod_sql module fails to adequately escape or parameterize user input when constructing SQL queries for logging purposes. This allows specially crafted usernames containing SQL metacharacters and injection payloads to modify the intended SQL statement structure.
Attack Vector
The attack is network-based and requires no prior authentication or user interaction. An attacker connects to the vulnerable ProFTPD server and sends a USER command with a malicious payload embedded in the username. The payload exploits the SQL injection to execute database commands, which can then leverage database-specific features to achieve operating system command execution.
For PostgreSQL backends, the attack chain typically involves:
- Injecting SQL to terminate the current statement
- Using COPY TO PROGRAM to execute arbitrary shell commands
- Commands execute with the privileges of the database or ProFTPD service
The vulnerability mechanism involves the mod_sql module processing USER commands and logging them via SQL statements. When username expansion like %U is used, attacker-controlled input flows directly into SQL queries without proper sanitization, enabling injection attacks. Technical details and proof-of-concept information are available in the ZeroPath blog post and the GitHub PoC repository.
Detection Methods for CVE-2026-42167
Indicators of Compromise
- Unusual or malformed usernames in FTP authentication logs containing SQL syntax (quotes, semicolons, COPY, PROGRAM)
- Database logs showing unexpected COPY TO PROGRAM statements or other command execution attempts
- Failed authentication attempts with usernames containing SQL injection patterns
- Unexpected processes spawned by the database server or ProFTPD service
Detection Strategies
- Monitor FTP logs for authentication attempts with usernames containing SQL metacharacters such as single quotes, double dashes, semicolons, or keywords like SELECT, UNION, COPY
- Implement database query logging to detect anomalous SQL statements originating from ProFTPD connections
- Deploy network intrusion detection rules to identify SQL injection patterns in FTP USER commands
- Use behavioral analysis to detect child processes spawned by database or FTP services
Monitoring Recommendations
- Enable verbose logging on ProFTPD servers to capture full USER command content
- Configure database auditing to log all command execution attempts
- Implement file integrity monitoring on systems running vulnerable ProFTPD versions
- Set up alerts for any process execution originating from database service accounts
How to Mitigate CVE-2026-42167
Immediate Actions Required
- Upgrade ProFTPD to version 1.3.10rc1 or later immediately
- If immediate upgrade is not possible, disable mod_sql or remove USER request logging with %U expansion
- Review ProFTPD configuration files for vulnerable logging configurations
- Audit database permissions to restrict or remove command execution capabilities where not required
Patch Information
The vulnerability has been addressed in ProFTPD version 1.3.10rc1. Organizations should upgrade to this version or later to remediate the vulnerability. Detailed release information is available in the ProFTPD Release Notes for 1.3.10rc1. Additional discussion can be found in GitHub Issue #2052.
Workarounds
- Remove or modify SQLLog directives that use %U expansion for USER commands
- Restrict database user permissions to prevent use of COPY TO PROGRAM and similar command execution features
- Implement network segmentation to limit access to FTP services from untrusted networks
- Use a Web Application Firewall (WAF) or FTP proxy that can filter SQL injection patterns in authentication requests
# Configuration example - Disable vulnerable logging in proftpd.conf
# Comment out or remove SQLLog directives using %U expansion
# Before (vulnerable):
# SQLLog USER "INSERT INTO login_log (username) VALUES ('%U')"
# After (mitigated - remove or comment the directive):
# SQLLog USER disabled or removed entirely
# Alternatively, restrict PostgreSQL COPY TO PROGRAM capability
# In postgresql.conf or via REVOKE statements:
# REVOKE EXECUTE ON FUNCTION pg_read_file FROM proftpd_user;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
