https://www.exploit-db.com/exploits/19223
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199911-016

FTGate界面服务器存在漏洞。远程攻击者可以通过一个..（点点）攻击读取文件。

source: http://www.securityfocus.com/bid/280/info

A vulnerability in Floosietek's FTGate allows remote malicious users to steal local files.

Floosietek's FTGate is a Win32 mail server program. One of its features is allowing administrators to check the status of the mail server using a web browser via a built-in web server.

The web server fails to check whether requested files fall outside its document tree (by using ".." in the URL). Thus attackers can retrieve files in the same drives as that on which the software resides if they know or can get it's filename. 

http://www.example.com:8080/../newuser.txt

来源:OSVDB
名称:1137
链接:http://www.osvdb.org/1137
来源:EEYE
名称:AD05261999
链接:http://www.eeye.com/html/Research/Advisories/AD05261999.html