COMMAND

    PerlCal

SYSTEMS AFFECTED

    *NIX (not windows) systems running PerlCal CGI script

PROBLEM

    Stan a.k.a. ThePike found  following.  cal_make.pl of  the PerlCal
    script may allow remote users (website visitors) to view any  file
    on a  webserver (depending  on the  user the  webserver is running
    on).

    Regard this URL:

        http://www.VULNERABLE.com/cgi-bin/cal_make.pl?p0=../../../../../../../../../../../../etc/passwd%00

    This  will  display  the  /etc/passwd  (if  the webserver user has
    access to this file).

SOLUTION

    The PerlCal vendor  was warned.   Because the vendor  still hasn't
    fixed the problem this advisory was released.  In the meantime  it
    might be a good idea to just chmod 000 your PerlCal scripts.