Bugtraq mailing list archives
GuildFTPD v0.97 Directory Traversal / Weak password encryption
From: ByteRage <byterage () yahoo com>
Date: Sat, 26 May 2001 09:44:47 -0700 (PDT)
GuildFTPD v0.97 Directory Traversal / Weak password encryption AFFECTED SYSTEMS GuildFTPD v0.97 tested on Windows 9x, probably works on NT / 2k as well DESCRIPTION 1) Directory Traversal Consider the following FTP session (I'm using windows' FTP.EXE proggie, and its associated commands) : The following commands : CD ../ CD .../ CD /.../ CD c:\ etc... all give "550 Access denied." errors, so the frontdoor seems to be closed... The following stuff *does* work however : LS /../* This way, we can map out the whole harddrive... other example : LS /../../windows/* Now, to retrieve a file, do something like : GET /../windows/system.ini c:\received-file.txt 2) And another thing... I don't want to whine to the guys who wrote this program, but storing the user:password pairs in plaintext in the program directory (the default.usr & default?.usr files) is asking for trouble : most ftp servers at least provide some way of encryption / hashing... when you combine this with the traversal bug, anyone can get the passwords of all the users by grabbing the default.usr file. VENDOR STATUS I have sent this advisory to both DrPhibez <guildftpd () ztnet com> and Nitro187 (Matthew Flewelling) <nitro () zophar net>, the programmers of GuildFTPD ======================================================= [ByteRage] <byterage () yahoo com> [www.byterage.cjb.net] ======================================================= __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/
Current thread:
- GuildFTPD v0.97 Directory Traversal / Weak password encryption ByteRage (May 26)