Name   : talkback (CGI): "show files" vulnurability.
Problem: Talkback.cgi may allow remote users (website visitors) to
         view any file on a webserver (depending on the user the
         webserver is running on).


This will display the /etc/passwd (if the webserver user has
access to this file).

Another URL can display the source of talkback.cgi itself
that contains the admin password:

(You might have to use another URL instead of 
../cgi-bin/talkback.cgi%00, this depends on where the 
cgi-bin is installed)

                by: Stan a.k.a. ThePike (