Red Hat Security Advisory 2013-1193-01 – JBoss Web is the web container, based on Apache Tomcat, in Red Hat JBoss Enterprise Application Platform. It provides a single deployment platform for the JavaServer Pages and Java Servlet technologies. A flaw was found in the way the DiskFileItem class handled NULL characters in file names. A remote attacker able to supply a serialized instance of the DiskFileItem class, which will be deserialized on a server, could use this flaw to write arbitrary content to any location on the server that is accessible to the user running the application server process…. Red Hat Security Advisory 2013-1193-01 – JBoss Web is the web container, based on Apache Tomcat, in Red Hat JBoss Enterprise Application Platform. It provides a single deployment platform for the JavaServer Pages and Java Servlet technologies. A flaw was found in the way the DiskFileItem class handled NULL characters in file names. A remote attacker able to supply a serialized instance of the DiskFileItem class, which will be deserialized on a server, could use this flaw to write arbitrary content to any location on the server that is accessible to the user running the application server process.

Read more http://packetstormsecurity.com/files/123066/RHSA-2013-1193-01.txt