IBM WebSphere Application Server Long Filename Information Disclosure Vulnerability

05/21/10 08:39, by Dennis van Remortel, Categories: IBM, security

Bugtraq ID:  	        40277
Class: 			Unknown
CVE: 			CVE-2010-0777
Remote: 		Yes
Local: 			No
Published: 		May 09 2010 12:00AM
Updated: 		May 20 2010 05:02PM
Credit: 		Reported by the vendor
Vulnerable: 		IBM Websphere Application Server 7.0 3
			IBM Websphere Application Server 7.0 .9
			IBM Websphere Application Server 7.0 .8
			IBM Websphere Application Server 6.1.2
			IBM Websphere Application Server 6.1 .9
			IBM Websphere Application Server 6.1 .8
			IBM Websphere Application Server 6.1 .7
			IBM Websphere Application Server 6.1 .6
			IBM Websphere Application Server 6.1 .5
			IBM Websphere Application Server 6.1 .4
			IBM Websphere Application Server 6.1 .3
			IBM Websphere Application Server 6.1 .25
			IBM Websphere Application Server 6.1 .23
			IBM Websphere Application Server 6.1 .22
			IBM Websphere Application Server 6.1 .21
			IBM Websphere Application Server 6.1 .20
			IBM Websphere Application Server 6.1 .2
			IBM Websphere Application Server 6.1 .19
			IBM Websphere Application Server 6.1 .18
			IBM Websphere Application Server 6.1 .17
			IBM Websphere Application Server 6.1 .15
			IBM Websphere Application Server 6.1 .14
			IBM Websphere Application Server 6.1 .13
			IBM Websphere Application Server 6.1 .12
			IBM Websphere Application Server 6.1 .11
			IBM Websphere Application Server 6.1 .10
			IBM Websphere Application Server 6.1 .1
			IBM Websphere Application Server 6.1
			IBM Websphere Application Server 6.0.2 .9
			IBM Websphere Application Server 6.0.2 .7
			IBM Websphere Application Server 6.0.2 .5
			IBM Websphere Application Server 6.0.2 .39
			IBM Websphere Application Server 6.0.2 .35
			IBM Websphere Application Server 6.0.2 .33
			IBM Websphere Application Server 6.0.2 .31
			IBM Websphere Application Server 6.0.2 .3
			IBM Websphere Application Server 6.0.2 .29
			IBM Websphere Application Server 6.0.2 .27
			IBM Websphere Application Server 6.0.2 .25
			IBM Websphere Application Server 6.0.2 .24
			IBM Websphere Application Server 6.0.2 .23
			IBM Websphere Application Server 6.0.2 .22
			IBM Websphere Application Server 6.0.2 .21
			IBM Websphere Application Server 6.0.2 .17
			IBM Websphere Application Server 6.0.2 .15
			IBM Websphere Application Server 6.0.2 .13
			IBM Websphere Application Server 6.0.2 .11
			IBM Websphere Application Server 6.0.2 .1
			IBM Websphere Application Server 6.0.2
			IBM Websphere Application Server 7.0.0.7
			IBM Websphere Application Server 7.0.0.5
			IBM Websphere Application Server 7.0.0.1
			IBM Websphere Application Server 7.0
			IBM Websphere Application Server 6.1.0.29
			IBM Websphere Application Server 6.1.0.27
			IBM Websphere Application Server 6.0.2.41
			IBM Websphere Application Server 6.0.2.19
			IBM Websphere Application Server 6.0.2 Fix Pack 17
			
			Not Vulnerable: 	
			IBM Websphere Application Server 7.0 .11
			IBM Websphere Application Server 6.1.0.31
			IBM Websphere Application Server 6.0.2.43
	
IBM WebSphere Application Server (WAS) is prone to an information-disclosure vulnerability.
Exploiting this issue may allow an attacker to access sensitive information that may aid in further attacks.
This issue affects WAS 6.0, 6.1, and 7.0. 
An attacker can exploit this issue through a browser. 


Solution:
IBM has released fixes. Please see the vendor reference for details.

References:

    * Fix list for IBM WebSphere Application Server V6.1 (IBM)
    * IBM Websphere Homepage (IBM)
    * WebSphere Application Server Web Container information disclosure (IBM)

1 comment

Comment from: Derick Jones [Visitor]

I belong to an online learning community (U-2-Me) and some of my students work on Domino. They might find this blog useful. Thanks for the tips and information.

10/08/10 @ 05:43

Comment feed for this post