Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

DDIVRT-2011-33 IBM WebSphere Application Server 'help' Servlet Plug-in Bundle Directory Traversal [CVE-2011-1359]
From: ddivulnalert <ddivulnalert () ddifrontline com>
Date: Mon, 31 Oct 2011 09:53:41 -0500

Title
-----
DDIVRT-2011-33 IBM WebSphere Application Server 'help' Servlet Plug-in Bundle Directory Traversal [CVE-2011-1359]

Severity
--------
High

Date Discovered
---------------
July 28, 2011

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: Javier Castro, sxkeebler and r () b13$

Vulnerability Description
-------------------------
The default installation of the IBM WebSphere Application Server is 
deployed with a 'help' servlet which is designed to serve supporting 
documentation for the WebSphere system. When the 'help' servlet 
processes a URL that contains a reference to a Java plug-in Bundle 
that is registered with the Eclipse Platform Runtime Environment of 
the WebSphere Application Server, the 'help' servlet fails to ensure 
that the submitted URL refers to a file that is both located within the 
web root of the servlet and is of a type that is allowed to be served.

An unauthenticated remote attacker can use this weakness in the 
'help' servlet to retrieve arbitrary system files from the host that 
is running the 'help' servlet. This can be accomplished by submitting 
a URL which refers to a registered Java plug-in Bundle followed by a 
relative path to the desired file.

Solution Description
--------------------
IBM has released a patch for this issue. The patch is available through APAR PM45322.

http://www-01.ibm.com/support/docview.wss?uid=swg21509257

Tested Systems / Software (with versions)
------------------------------------------
WebSphere Application Server Version 8.0
WebSphere Application Server Version 7.0
WebSphere Application Server Version 6.1

Vendor Contact
--------------
Vendor Name: IBM
Vendor Website: http://www-01.ibm.com/software/webservers/appserv/was/library/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • DDIVRT-2011-33 IBM WebSphere Application Server 'help' Servlet Plug-in Bundle Directory Traversal [CVE-2011-1359] ddivulnalert (Nov 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault