Exploit Database - Logo

My Postcards 6.0 - 'MagicCard.cgi' Arbitrary File Disclosure

EDB-ID: 21558 Author: cult Published: 2002-06-15
CVE: CVE-2002-1966 Type: Webapps Platform: CGI
Aliases: N/A Advisory/Source: Link Tags: Vulnerability
E-DB Verified: Verified Exploit: Download Exploit Code Download / View Raw Vulnerable App: N/A
« Previous Exploit Next Exploit » 
source: http://www.securityfocus.com/bid/5029/info

My Postcards is a commercial available eletronic postcard system. It is available for Unix and Linux Operating Systems.

The magiccard.cgi script does not properly handle some types of input. As a result, it may be possible for a remote user to specify the location of a specific file on the system hosting the My Postcards software. Upon specifying the location of a file that is readable by the web server process, the user could disclose the contents of the specified file. 

http://www.example.com/cgi-bin/magiccard.cgi?pa=preview&next=custom&page=../../../../../../../../../../etc/passwd

Related Exploits

Trying to match CVEs (1): CVE-2002-1966
Trying to match OSVDBs (1): 39356
Other Possible E-DB Search Terms: My Postcards 6.0,  My Postcards
Date D V Title Author
No matches
Menu