A vulnerability in Floosietek's FTGate allows remote malicious users to steal local files.
Floosietek's FTGate is a Win32 mail server program. One of its features is allowing administrators to check the status of the mail server using a web browser via a built-in web server.
The web server fails to check whether requested files fall outside its document tree (by using ".." in the URL). Thus attackers can retrieve files in the same drives as that on which the software resides if they know or can get it's filename.
FTGate contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the server not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the URI.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Floosietek no longer supports this product.