Hijack kftpd/khttpd do not set CWD when browsing. Each file access is from the root level again (nice convenient hack, small performance cost).

It might be possible that they may have forgotten to close a file somewhere, but not likely.

Cheers