mailing list archives
GuildFTPD v0.97 Directory Traversal / Weak password encryption
From: ByteRage <byterage () yahoo com>
Date: Sat, 26 May 2001 09:44:47 -0700 (PDT)
GuildFTPD v0.97 Directory Traversal / Weak password
tested on Windows 9x, probably works on NT / 2k as
1) Directory Traversal
Consider the following FTP session (I'm using windows'
FTP.EXE proggie, and its associated commands) :
The following commands :
all give "550 Access denied." errors, so the frontdoor
seems to be closed... The following stuff *does* work
This way, we can map out the whole harddrive...
other example : LS /../../windows/*
Now, to retrieve a file, do something like :
GET /../windows/system.ini c:\received-file.txt
And another thing... I don't want to whine to the guys
who wrote this program, but storing the user:password
pairs in plaintext in the program directory (the
default.usr & default?.usr files) is asking for
trouble : most ftp servers at least provide some way
encryption / hashing... when you combine this with the
traversal bug, anyone can get the passwords of all the
users by grabbing the default.usr file.
I have sent this advisory to both DrPhibez
<guildftpd () ztnet com> and Nitro187 (Matthew
Flewelling) <nitro () zophar net>, the programmers of
[ByteRage] <byterage () yahoo com> [www.byterage.cjb.net]
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
- GuildFTPD v0.97 Directory Traversal / Weak password encryption ByteRage (May 26)