ProFTPD contains a flaw that allows a remote, authenticated attacker to traverse outside of a restricted path. The issue is due to the 'mod_site_misc' module not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'SITE MKDIR', 'SITE RMDIR', 'SITE SYMLINK' or 'SITE UTIME' commands. This directory traversal attack would allow the attacker to create and delete directories, create symlinks and modify timestamps.
Remote / Network Access
Loss of Integrity
Upgrade to version 1.3.3c or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.