COMMAND

    WebBanner

SYSTEMS AFFECTED

    Selena Sol's WebBanner 4.0

PROBLEM

    Johannes Westerink found following.  At your browser, type simply:

        http://yourdomain/random_banner/index.cgi?image_list=alternative_image.list&html_file=../../../../../etc/passwd

    ... and you should view passwd  file as user nobody (if server  is
    serving page as user nobody...).  Trying to execute a command with
    | won't work always because	the script is running standard with -T
    option: #!/usr/bin/perl  -T, you  can first  view the  script code
    with above way,  check if there  is a -T  option, if not,  you can
    execute any command as nobody user (....&html_file=|ls -la|).

SOLUTION

    Newer version should fix that.