Routed allows attackers to append data to files.

Extra long export lists over 256 characters in some mount daemons allows NFS directories to be mounted by anyone.

The SunView (SunTools) selection_svc facility allows remote users to read files.

Denial of service in Sendmail 8.6.11 and 8.6.12.

A quote cwd command on FTP servers can reveal the full path of the home directory of the "ftp" user.

websendmail in Webgais 1.0 allows a remote user to access arbitrary files and execute arbitrary code via the receiver parameter ($VAR_receiver variable).

Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1.

Denial of service in in.comsat allows attackers to generate messages.

Denial of service in Ascend and 3com routers, which can be rebooted by sending a zero length TCP option.

IIS newdsn.exe CGI script allows remote users to overwrite files.

When compiled with the -DALLOW_UPDATES option, bind allows dynamic updates to the DNS server, allowing for malicious modification of DNS records.

Linux implementations of TFTP would allow access to files outside the restricted directory.

The wall daemon can be used for denial of service, social engineering attacks, or to execute remote commands.

Windows NT crashes or locks up when a Samba client executes a "cd .." command on a file share.

The convert.bas program in the Novell web server allows a remote attackers to read any file on the system that is internally accessible by the web server.

The view-source CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack.

FormMail CGI program can be used by web servers other than the host server that the program resides on.

In SunOS, NFS file handles could be guessed, giving unauthorized access to the exported file system.

NFS allows users to use a "cd .." command to access other directories besides the exported file system.

A race condition in the Solaris ps command allows an attacker to overwrite critical files.

The "established" keyword in some Cisco IOS software allowed an attacker to bypass filtering.

Attackers can crash a Cisco IOS router or device, provided they can get to an interactive prompt (such as a login). This applies to some IOS 9.x, 10.x, and 11.x releases.

Cisco PIX firewall manager (PFM) on Windows NT allows attackers to connect to port 8080 on the PFM server and retrieve any file whose name and location is known.

Cisco PIX firewall and CBAC IP fragmentation attack results in a denial of service.