The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote malicious users to list arbitrary directories as root by running the LIST command before logging in.