Standart perl problem is in statistic module -
 file: hsx.cgi, script does not filter ../ and
 %00. Through this bug, you can remotely read
 any file and make listing of directory. ../ -
 directory up, %00 hex symbol, that means end of line.

 Exploit:


lynx http://www.victim.ru/cgi-bin/hsx.cgi?show=../../../../../../etc/passwd%00

by MC GaN of NerF security gr0up (Russia) - www.nerf.f2s.com