In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inje…

A SQL injection vulnerability exists in ProFTPD through version 1.3.9a in the sqltab_fetch_clients_cb() function within contrib/mod_wrap2_sql.c. The vulnerability allows remote attackers to inject arbitrary SQL commands via crafted domain names during reverse DNS lookups. The issue occurs when 'UseReverseDNS on' is enabled, causing attacker-supplied hostnames to be passed unescaped into SQL queries. Character restrictions of DNS names may limit exploitability. The vulnerability has been addressed in commit 7666224.