‘My Postcards’ Magiccard.cgi Directory Traversal Vulnerability’

Summary

My Postcards is a ready-to-use Web Application. It includes executable precompiled C++ programs, shell scripts, HTML and text templates, manuals and admin tools (e-mail address extraction, elements frequency stats, usage stats, old cards cleanup etc). A security vulnerability in the product allows remote attackers to read any world readable file on the remote server.’

Credit:

‘The information has been provided by Cult.’


Details

Vulnerable systems:
 * My Postcards version 5.00

Immune systems:
 * My Postcards version 5.07
 * My Postcards version 5.16
 * My Postcards version 5.17
 * My Postcards version 5.20a
 * My Postcards version 6.06

Example:
http://www.xxxxxx.com/cgi-bin/magiccard.cgi?pa=3Dpreview&next=3Dcustom& page=3D../../../../../../../../../../etc/passwd

Categories: UNIX