[原文]Guild FTPd allows remote attackers to determine the existence of files outside the FTP root via a .. (dot dot) attack, which provides different error messages depending on whether the file exists or not.
Guild Ftpd will not send files outside of the ftp root when they are specified by the ../ string in the path of the GET request. However due to the difference in the error messages it is able to determine if the file requested exists. The error message "Download failed" appears if the requested file exists and "Access denied" if it does not.
ftp> get ../filename
>PORT command successful.
>Opening ascii mode data connection for \../filename.
GuildFTPd contains a flaw that may lead to an unauthorized information disclosure. The issue is due to the application not properly sanitizing user input, specifically traversal style attacks (../../), which causes the application to return an error message whether the file exists on the system or not resulting in a loss of confidentiality.
Upgrade to version 0.999.6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.