[原文]Directory traversal vulnerability in IBM Tivoli WebSEAL Policy Director 3.01 through 3.7.1 allows remote attackers to read arbitrary files or directories via encoded .. (dot dot) sequences containing "%2e" strings.
IBM Tivoli SecureWay WebSEAL Proxy Policy Director Encoded Traversal Arbitrary File Access
Remote / Network Access
Loss of Integrity
Tivoli SecureWay Policy Director contains a flaw that allows a remote attacker to access arbitrary files or execute arbitrary scripts outside of the web path. The issue is due to the server not properly sanitizing user input, specifically encoded traversal style attacks (../../) supplied via the URI.
Currently, there are no known workarounds or upgrades to correct this issue. However, IBM has released a patch to address this vulnerability.