https://www.exploit-db.com/exploits/21558
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-749

MyPostcards是一款商业电子贺卡系统，可使用在多种Unix和Linux操作系统下。MyPostcards中的magiccard.cgi脚本处理用户输入时缺少正确检查，远程攻击者可以利用这个漏洞进行目录遍历攻击。magiccard.cgi脚本page参数对用户提交的数据缺少过滤，远程攻击者可以提交包含多个’../’字符并追加系统文件名的请求，而导致以WEB进程权限查看目标系统上任意文件内容，造成敏感信息泄露。

source: http://www.securityfocus.com/bid/5029/info

My Postcards is a commercial available eletronic postcard system. It is available for Unix and Linux Operating Systems.

The magiccard.cgi script does not properly handle some types of input. As a result, it may be possible for a remote user to specify the location of a specific file on the system hosting the My Postcards software. Upon specifying the location of a file that is readable by the web server process, the user could disclose the contents of the specified file. 

http://www.example.com/cgi-bin/magiccard.cgi?pa=preview&next=custom&page=../../../../../../../../../../etc/passwd

来源:BID
名称:5029
链接:http://www.securityfocus.com/bid/5029
来源:www.securiteam.com
链接:http://www.securiteam.com/unixfocus/5IP0G2K7FQ.html
来源:packetstormsecurity.nl
链接:http://packetstormsecurity.nl/0206-exploits/magiccard_vuln.txt
来源：NSFOCUS
名称：2977
链接：http://www.nsfocus.net/vulndb/2977