[ SOURCE: http://www.secureroot.com/security/advisories/9768328404.html ]

        The mod_sqlpw module for ProFTPD caches the user id and password

information returned from the mysql database when attempting to verify a

password.  When the "user" command is used to switch to another account,

the cached password is not cleard, and the password entered is checked

against the cached password.  If a user knows the password for a valid

account on a ProFTPD system using mod_sqlpw, they may log into any other

account in the database by doing the following:



1. FTP to the host running ProFTPD/mod_sqlpw.

2. At the login prompt, enter the user id of the known account "bob".

3. When prompted for a password, enter an invalid password for the

account "bob".  Authentication will fail.

4. Type "user alice", where "alice" is another account in the user

database.

5. When prompted for a password, enter the correct password for "bob".



At this point, the user "bob" is logged in as the user "alice" without

knowing alice's password.



Joe Miller