Reported January 19, 2001, by Strumpf Noir
Multiple vulnerabilities have been discovered in FastStream FTP++. The first being a DoS attack where a malicious user can flood the FTP server by sending requests of 2048 bytes or greater.
The second vulnerability is a condition where a malicious user can browse and obtain directory listings outside of the FTP root directory. A simple "ls C:\" would provide the user a directory listing of the C drive.
The final vulnerability lies in the storage of usernames and passwords. FastStream stores the username and passwords in a file that is unencrypted. Also, it seems that the USER and PASS commands are implemented for compatibility reasons only and the username and password file actually has no relevance to the logon process.
The vendor has been notified and has released a new BETA version of their software. This version addresses the directory listing vulnerability but not the DoS attack or password issues. Check the vendor web site for more information.
Multiple Vulnerabilities in FastStream FTP++ Server