Title
-----
DDIVRT-2011-33 IBM WebSphere Application Server 'help' Servlet Plug-in Bundle Directory Traversal [CVE-2011-1359]

Severity
--------
High

Date Discovered
---------------
July 28, 2011

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: Javier Castro, sxkeebler and r@b13$

Vulnerability Description
-------------------------
The default installation of the IBM WebSphere Application Server is 
deployed with a 'help' servlet which is designed to serve supporting 
documentation for the WebSphere system. When the 'help' servlet 
processes a URL that contains a reference to a Java plug-in Bundle 
that is registered with the Eclipse Platform Runtime Environment of 
the WebSphere Application Server, the 'help' servlet fails to ensure 
that the submitted URL refers to a file that is both located within the 
web root of the servlet and is of a type that is allowed to be served.

An unauthenticated remote attacker can use this weakness in the 
'help' servlet to retrieve arbitrary system files from the host that 
is running the 'help' servlet. This can be accomplished by submitting 
a URL which refers to a registered Java plug-in Bundle followed by a 
relative path to the desired file.

Solution Description
--------------------
IBM has released a patch for this issue. The patch is available through APAR PM45322.

http://www-01.ibm.com/support/docview.wss?uid=swg21509257

Tested Systems / Software (with versions)
------------------------------------------
WebSphere Application Server Version 8.0
WebSphere Application Server Version 7.0
WebSphere Application Server Version 6.1

Vendor Contact
--------------
Vendor Name: IBM
Vendor Website: http://www-01.ibm.com/software/webservers/appserv/was/library/