Sun iPlanet Administration Server ViewLog Arbitrary File Access
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
iPlanet Administration Server contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the "ViewLog" script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the "file" variable.
Currently, there are no known workarounds or upgrades to correct this issue. However, Sun Microsystems has released a patch (SunOne DS5.2 and iDS5.1 SP2 Hotfix2) to address this vulnerability.