Many applications create a direct mapping between user input, and files on the filesystem. This can happen explicitly, for example the way a webserver maps URLs to the filesystem, or it could be harder to spot: for example if issuing the “HELP FOO” command causes the underlying program to display the resource “help/foo.txt”.
The most common directory traversal attack comes from a user making a request for ‘../../foo’: using the ‘..’ construct to escape to the directory above that in which the files should be found. This is, however, not the only unsafe pattern: several exploits have used ‘.|.’ instead.
This is a very common vulnerability. It is most prevalent in P2P software, or in applications that “grow” some kind of fileserver bolted on the side: since fileserving isn’t the core area of expertise for the developer, the dangers are often overlooked. For example, when ICQ was first shipped with a personal webserver, it was vulnerable to the simplest of directory traversal attacks.