On December 1st, while conducting a penetration test of a TAM enabled web application, VSR identified a vulnerability in Tivoli Web Server Plug-in which is a component of Tivoli Access Manager (TAM). This flaw allows an authenticated attacker to retrieve files (which reside outside of the web root) from the web server on which the plug-in resides. It is possible to retrieve any file or list any directory which is readable by the web server software.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/43594/tam-file-retrieval.txt
Source: https://packetstormsecurity.com/files/43594/tam-file-retrieval.txt.html