[Full-disclosure] DDIVRT-2011-33 IBM WebSphere Application Server 'help' Servlet Plug-in Bundle Directory Traversal [CVE-2011-1359]



Title
-----
DDIVRT-2011-33 IBM WebSphere Application Server 'help' Servlet Plug-in Bundle Directory Traversal [CVE-2011-1359]

Severity
--------
High

Date Discovered
---------------
July 28, 2011

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: Javier Castro, sxkeebler and r@b13$

Vulnerability Description
-------------------------
The default installation of the IBM WebSphere Application Server is
deployed with a 'help' servlet which is designed to serve supporting
documentation for the WebSphere system. When the 'help' servlet
processes a URL that contains a reference to a Java plug-in Bundle
that is registered with the Eclipse Platform Runtime Environment of
the WebSphere Application Server, the 'help' servlet fails to ensure
that the submitted URL refers to a file that is both located within the
web root of the servlet and is of a type that is allowed to be served.

An unauthenticated remote attacker can use this weakness in the
'help' servlet to retrieve arbitrary system files from the host that
is running the 'help' servlet. This can be accomplished by submitting
a URL which refers to a registered Java plug-in Bundle followed by a
relative path to the desired file.

Solution Description
--------------------
IBM has released a patch for this issue. The patch is available through APAR PM45322.

http://www-01.ibm.com/support/docview.wss?uid=swg21509257

Tested Systems / Software (with versions)
------------------------------------------
WebSphere Application Server Version 8.0
WebSphere Application Server Version 7.0
WebSphere Application Server Version 6.1

Vendor Contact
--------------
Vendor Name: IBM
Vendor Website: http://www-01.ibm.com/software/webservers/appserv/was/library/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: WebSphere 7.0
    ... Macro 4 plc, The Orangery, Turners Hill Road, Worth, Crawley, RH10 4SS ... These documents describe how to download all available releases of WebSphere ... Application Server V7.0 installation images from the IBM Passport AdvantageR ...
    (bit.listserv.ibm-main)
  • DDIVRT-2011-33 IBM WebSphere Application Server help Servlet Plug-in Bundle Directory Tr
    ... The default installation of the IBM WebSphere Application Server is ... When the 'help' servlet ... IBM has released a patch for this issue. ...
    (Bugtraq)
  • Re: Software Pricing
    ... I've seen an IBM internal analysis of a Websphere Application Server ... the price of WAS for z/OS's license and subscription/support at 3 MSUs ...
    (bit.listserv.ibm-main)
  • Re: WebSphere 7.0
    ... I went on the IBM Websphere website and it indicates that the BETA Websphere ... Application Server V7.0 is now available for download. ...
    (bit.listserv.ibm-main)
  • Re: location of j_security_check
    ... I am looking for server specific information. ... mapping information in web.xml ... then where does the servlet class file reside. ... searched in Admin console application of WebSphere but could'nt find it ...
    (comp.lang.java.programmer)