GuildFTPD v0.97 Directory Traversal / Weak password encryption

[ByteRage <byterage () yahoo com>]

GuildFTPD v0.97 Directory Traversal / Weak password
encryption

AFFECTED SYSTEMS

GuildFTPD v0.97
tested on Windows 9x, probably works on NT / 2k as
well

DESCRIPTION

1) Directory Traversal
Consider the following FTP session (I'm using windows'
FTP.EXE proggie, and its associated commands) :

The following commands :
CD ../
CD .../
CD /.../
CD c:\
etc...
all give "550 Access denied." errors, so the frontdoor
seems to be closed... The following stuff *does* work
however :

LS /../*

This way, we can map out the whole harddrive...
other example : LS /../../windows/*

Now, to retrieve a file, do something like :

GET /../windows/system.ini c:\received-file.txt

2)
And another thing... I don't want to whine to the guys
who wrote this program, but storing the user:password
pairs in plaintext in the program directory (the
default.usr & default?.usr files) is asking for
trouble : most ftp servers at least provide some way
of
encryption / hashing... when you combine this with the
traversal bug, anyone can get the passwords of all the
users by grabbing the default.usr file.

VENDOR STATUS

I have sent this advisory to both DrPhibez
<guildftpd () ztnet com> and Nitro187 (Matthew
Flewelling) <nitro () zophar net>, the programmers of
GuildFTPD

=======================================================
[ByteRage] <byterage () yahoo com> [www.byterage.cjb.net]
=======================================================


__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/