From vulnwatch-return-401-jm=jmason.org@vulnwatch.org  Mon Jul 22 22:51:29 2002
Return-Path: <vulnwatch-return-401-yyyy=spamassassin.taint.org@vulnwatch.org>
Delivered-To: yyyy@localhost.netnoteinc.com
Received: from localhost (localhost [127.0.0.1])
	by phobos.labs.netnoteinc.com (Postfix) with ESMTP id 58591440C8
	for <jm@localhost>; Mon, 22 Jul 2002 17:51:29 -0400 (EDT)
Received: from dogma.slashnull.org [212.17.35.15]
	by localhost with IMAP (fetchmail-5.9.0)
	for jm@localhost (single-drop); Mon, 22 Jul 2002 22:51:29 +0100 (IST)
Received: from vikki.vulnwatch.org ([199.233.98.101]) by
    dogma.slashnull.org (8.11.6/8.11.6) with SMTP id g6MLmJ401718 for
    <jm@jmason.org>; Mon, 22 Jul 2002 22:48:19 +0100
Received: (qmail 12277 invoked by alias); 22 Jul 2002 21:48:37 -0000
Mailing-List: contact vulnwatch-help@vulnwatch.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:vulnwatch@vulnwatch.org>
List-Help: <mailto:vulnwatch-help@vulnwatch.org>
List-Unsubscribe: <mailto:vulnwatch-unsubscribe@vulnwatch.org>
List-Subscribe: <mailto:vulnwatch-subscribe@vulnwatch.org>
Delivered-To: mailing list vulnwatch@vulnwatch.org
Delivered-To: moderator for vulnwatch@vulnwatch.org
Received: (qmail 14701 invoked from network); 22 Jul 2002 21:41:59 -0000
Content-Type: text/plain; charset="iso-8859-1"
From: "Securiteinfo.com" <webmaster@securiteinfo.com>
Organization: Securiteinfo.com
To: bugtraq@securityfocus.com
Date: Mon, 22 Jul 2002 23:09:11 +0200
X-Mailer: KMail [version 1.2]
MIME-Version: 1.0
Message-Id: <02072223091100.01082@scrap>
Subject: [VulnWatch] Pablo Sofware Solutions FTP server Directory Traversal Vulnerability
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by dogma.slashnull.org
    id g6MLmJ401718

Pablo Sofware Solutions FTP server Directory Traversal Vulnerability


.oO  Overview Oo.
Pablo Software Solutions FTP server version 1.0 build 9 shows files and 
directories that reside outside the normal FTP root directory. 
Discovered on 2002, July, 20th
Vendor: Pablo Software Solutions

Pablo's FTP Server is a multi threaded FTP server for Windows 98/NT/XP. 
It comes with an easy to use interface and can be accessed from the system 
tray.  
The server handles all basic FTP commands and offers easy user account 
management and support for virtual directories.
This FTP server can shows file and directory content that reside outside the 
normal FTP root directory.


.oO  Details Oo.
The vulnerability can be done using the MS-DOS ftp client. When you are 
logged on the server, you can send a dir \..\, or a dir \..\WINNT, supposed 
your root directory is c:\ftp_server 


.oO  Solution Oo.
The vendor has been informed and has solved the problem.
Download Pablo's FTP Server Build 10 at : 
http://www.pablovandermeer.nl/ftp_server.html


.oO  Discovered by Oo.
Arnaud Jacques
webmaster@securiteinfo.com
http://www.securiteinfo.com


