OSVDB ID: 10490

Title: IBM Trading Partner Interchange Jetty Server Traversal Arbitrary File Access

Info

Disclosure

Oct 05, 2004

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Trading Partner Interchange contains a flaw that may allow a malicious user to arbitarily access files. The issue is triggered when a specially crafted URL is submitted to the Jetty HTTP server. It is possible that the flaw may allow arbitrary file access resulting in a loss of confidentiality.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Confidentiality
Exploit: Exploit Public
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 4.2.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

International Business Machines Corporation	Trading Partner Interchange	4.2.2
		4.2.1

References

Security Tracker: 1011545 1016975
Bugtraq ID: 11330
Secunia Advisory ID: 12703 22229
ISS X-Force ID: 17600
CVE ID: 2004-2478 (see also: NVD)
VUPEN Advisory: ADV-2006-3873
Keyword: CAID 34661
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-10/0061.html
http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049846.html
Other Advisory URL: http://www-1.ibm.com/support/docview.wss?uid=swg21178665
Vendor Specific Advisory URL: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34661

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/10490

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

International Business Machines Corporation

Trading Partner Interchange

References

Credit