source: https://www.securityfocus.com/bid/5029/info
My Postcards is a commercial available eletronic postcard system. It is available for Unix and Linux Operating Systems.
The magiccard.cgi script does not properly handle some types of input. As a result, it may be possible for a remote user to specify the location of a specific file on the system hosting the My Postcards software. Upon specifying the location of a file that is readable by the web server process, the user could disclose the contents of the specified file.
http://www.example.com/cgi-bin/magiccard.cgi?pa=preview&next=custom&page=../../../../../../../../../../etc/passwd
