COMMAND

    BisonFTP Server

SYSTEMS AFFECTED

    BisonFTP Server V4R1

PROBLEM

    ByteRage found following.   BisonFTP Server V4R1  allows any  user
    to  upload  *.bdl  (a  file  format  invented  to  make  links  to
    directories):

        PUT \local.bdl remote.bdl

    (We don't even need to append a dot, we can just upload it)

    If we create a *.bdl  pointing to the harddrive's root  (using our
    own copy of BisonFTP Server) and we CD to that link, we can browse
    the entire drive  and we have  the same rights  as we have  in our
    homedirectory + we can dive  into subdirs whilst keeping the  same
    rights.

    Users  with  write  permissions   can  traverse  directories,   by
    uploading a bdl file pointing to the desired (root)directory.

SOLUTION

    Vendor knows about it.