COMMAND

    GuildFTPD v0.97

SYSTEMS AFFECTED

    GuildFTPD v0.97

PROBLEM

    'ByteRage' found following.

    1) Directory Traversal
    ======================
    Consider  the  following  FTP  session  (using  windows'   FTP.EXE
    proggie, and its associated commands).  The following commands:

        CD ../
        CD .../
        CD /.../
        CD c:\
        etc...

    all give "550  Access denied." errors,  so the frontdoor  seems to
    be closed... The following stuff *does* work however:

        LS /../*

    This way, we can map out the whole harddrive... other example:

        LS /../../windows/*

    Now, to retrieve a file, do something like:

        GET /../windows/system.ini c:\received-file.txt

    2) Password availability
    ========================
    And another thing... Storing the user:password pairs in  plaintext
    in the program directory (the default.usr & default?.usr files) is
    asking for trouble: most ftp servers at least provide some way  of
    encryption / hashing... when  you combine this with  the traversal
    bug, anyone can get the passwords of all the users by grabbing the
    default.usr file.

SOLUTION

    GuildFTPd developers know about it.