Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: talkback.htm

Talkback.cgi retrieve arbitrary files





    Stan  a.k.a.  ThePike  found  following.   Talkback.cgi  may allow
    remote users (website  visitors) to view  any file on  a webserver
    (depending on the user the webserver is running on).

    This  will  display  the  /etc/passwd  (if  the webserver user has
    access  to  this  file).   Another  URL  can display the source of
    talkback.cgi itself that contains the admin password:

    You   might    have    to   use    another    URL   instead     of
    ../cgi-bin/talkback.cgi%00, this depends  on where the  cgi-bin is
    installed.  In this file you can find $admin_password that can  be
    used in

    to post & delete articles.


    Way To  The Web  has released  an updated  version of talkback.cgi
    that isn't vulnerable to this problem:

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH