> a quick note, Winsock FTPD 3.00 pro and 2.41
(maybe prior) are vulnerable
Thanks for the note - we released 3.00 R4 last week
to fix this vulnerability. [We now refuse to list any
parameter list containing "/.."]
> PS: Serv-U ftp doesn't seem to be vulnerable
No duh - Serv-U doesn't bother to expand wildcards
in non-terminal path elements. I spent a good couple
of hours putting the code into WFTPD to do that, for
one particular customer's requirement. Note - there
is no "glob" in Windows (at least, not that works this
way), and so we're apparently _not_ vulnerable to the
other glob problem reported elsewhere.
Alun.
~~~~
