SmartFTP Daemon contains a flaw that allows a remote attacker to hijack arbitrary account privileges. The flaw is due to the program not validating requests to access configuration files. If an attacker uploads a specially crafted configuration file with pointers to an arbitrary user, they can then login using a directory traversal style attack (../../) for the username which will access the arbitrary configuration file.
Upgrade to version 0.2 Build 10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.