A remote user could gain read access to directories outside of the ftp root in a Jarle Aase War FTPD Server. Once a user is logged into the server, a specially crafted 'dir' command will disclose an arbitrary directory. This vulnerability could allow an attacker to gain read access to various files residing on the target machine.
WarFTPd dir Command Traversal Arbitrary Directory Listing
Remote / Network Access
Loss of Confidentiality
WarFTPd contains a flaw that allows a remote attacker to obtain arbitrary directory listings outside of the FTP root path. The issue is due to the server not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the "dir" command.
Upgrade to version 1.67 b5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.