[whizkunde security advisory: talkback (CGI)] http://www.whizkunde.org | firstname.lastname@example.org
Release date: April 9th 2001 Subject: talkback.cgi security problem Systems affected: UNIX systems running talkback CGI script Vendor: http://www.waytotheweb.com
Regard this URL:
This will display the /etc/passwd (if the webserver user has access to this file).
Another URL can display the source of talkback.cgi itself that contains the admin password:
(You might have to use another URL instead of ../cgi-bin/talkback.cgi%00, this depends on where the cgi-bin is installed.)
In this file you can find $admin_password that can be used in
to post & delete articles.
Stan a.k.a. ThePike email@example.com http://www.whizkunde.org
Copyright whizkunde security team 2001