talkback.cgi vulnerability may allow users to read any file

Type securityvulns
Reporter Securityvulns
Modified 2001-04-10T00:00:00


[whizkunde security advisory: talkback (CGI)] |

Release date: April 9th 2001 Subject: talkback.cgi security problem Systems affected: UNIX systems running talkback CGI script Vendor:

  1. problem Talkback.cgi may allow remote users (website visitors) to view any file on a webserver (depending on the user the webserver is running on).

Regard this URL: ../../../../../../../../etc/passwd%00&action=view&matchview=1

This will display the /etc/passwd (if the webserver user has access to this file).

Another URL can display the source of talkback.cgi itself that contains the admin password: ../cgi-bin/talkback.cgi%00&action=view&matchview=1

(You might have to use another URL instead of ../cgi-bin/talkback.cgi%00, this depends on where the cgi-bin is installed.)

In this file you can find $admin_password that can be used in

to post & delete articles.

  1. fix Way To The Web has released an updated version of talkback.cgi that isn't vulnerable to this problem:

Stan a.k.a. ThePike

Copyright whizkunde security team 2001