COMMAND

    Broker FTP Server

SYSTEMS AFFECTED

    Broker FTP Server v. 3.0 Build 1

PROBLEM

    Arne Vidstrom found following.  He found a vulnerability in Broker
    FTP  Server  v.  3.0  Build  1.   Here's  an example.  You have it
    installed with FTP root in  c:\FTProot and you have a  user "test"
    with home directory in c:\FTProot\test.  You also have checked the
    "Display as ROOT directory" checkbox for test, so he/she can't get
    below the home  directory. CWD won't  take him/here below  it, but
    LIST will:

        LIST ..\..\winnt\

    will list the contents of c:\winnt and

        NLST ..\..\winnt\

    will also list the contents of c:\winnt.  Of course this isn't  as
    bad as  if CWD  or RETR  had worked,  but you  probably don't want
    anybody to be able to  look around in your private  directories...
    or to find out what cgi scripts you got.

SOLUTION

    Transsoft  has  been  contacted  about  this, and they should have
    released a new version that fixed this.