VULHUB ™

It is possible for a remote user without any proper credentials to view the contents of any known file residing on a system running CGI Script Center Auction Weaver. The form fields username and bidfile used in conjunction with null characters can be used to gain read access to arbitrary files by utilizing the double dot ".." method.

It is possible for a remote user without any proper credentials to view the contents of any known file residing on a system running CGI Script Center Auction Weaver. The form fields username and bidfile used in conjunction with null characters can be used to gain read access to arbitrary files by utilizing the double dot ".." method.