I found a bug in the SmartFTP-D Server which will give an attacker full access to the server, if he has the right to write files on the server. For every user, the program is checking if a special Userfile exists (Sample: Username=hacker & Userfile=hacker.FTP_User). If it exists, the configuration, like password, rights, etc. will be read out of this file. The program doesn't check for bad characters, so by using "..\" you can switch to other directorys. If an attacker has an account on the machine, where he can write files, he can use this to get full access to the whole machine! Let's take this example: Upload directory is D:\Upload and SmartFTP-D is installed in D:\Program Files\SmartFTP Daemon. An attacker would upload a file called exploit.FTP_User, which includes his own password and the rigths, he wishes to have. If he now uses the Username "..\..\..\..\..\Upload\exploit", his uploaded Userfile will be used and he can login. mindstorm networks has been informed about this bug and a fix should be available soon. Until they will release a fix, you can get my unofficial HotFix at my homepage, which will implement the missing check-function for bad characters in the Username. -Moritz -- Moritz Jodeit http://jodeit.cjb.net