Skip navigation

Multiple Vulnerabilities in FastStream FTP++ Server

Reported January 19, 2001, by Strumpf Noir

  • FastStream FTP++ 2 Beta 10 Build 2


Multiple vulnerabilities have been discovered in FastStream FTP++.  The first being a DoS attack where a malicious user can flood the FTP server by sending requests of 2048 bytes or greater.

The second vulnerability is a condition where a malicious user can browse and obtain directory listings outside of the FTP root directory.  A simple "ls C:\" would provide the user a directory listing of the C drive.

The final vulnerability lies in the storage of usernames and passwords.  FastStream stores the username and passwords in a file that is unencrypted.  Also, it seems that the USER and PASS commands are implemented for compatibility reasons only and the username and password file actually has no relevance to the logon process.


The vendor has been notified and has released a new BETA version of their software.  This version addresses the directory listing vulnerability but not the DoS attack or password issues.  Check the vendor web site for more information.

Discovered by
Strumpf Noir.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.