[原文]By design, the built-in FTP server for iSeries AS/400 systems does not support a restricted document root, which allows attackers to read or write arbitrary files, including sensitive QSYS databases, via a full pathname in a GET or PUT request.
IBM AS/400 iSeries FTP Server Traversal File Restriction Bypass
Remote / Network Access
Loss of Confidentiality
The OS/400 iSeries contains a flaw that may allow a remote attacker to acess arbitrary files and database tables anywhere on the integrated file system. The issue is due to the built-in ftp server having full access to the IFS without providing an FTP document root, so that a valid, authenticated user can access and retrieve via FTP all of the database tables and all of the files that he has authority to access through any application.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue. Third party tools are available that attempt to secure access via FTP-specific ACLs. However, many of these tools are susceptible to the same style of attack.