Reported July 31, 2000 by Foundstone
SimpleServer adequately protects against directory traversal when attempted via the typical dot dot slash (../) syntax. However, if the ASCII characters for the dots are replaced with their hexidecimal equivalent (%2E) then directory traversal can succeed.
AnalogX released an updated version 1.07 of the product, which corrects the vulnerability.
Discovered by Foundstone