COMMAND

    PALS Library System

SYSTEMS AFFECTED

    PALS Library System

PROBLEM

    'UkR-XblP' found following.  This  script is derived from an  idea
    originated at St.Olaf  College to provide  a www interface  to the
    PALS Library  System.   This idea  was then  worked on  at Georgia
    State University.  This version of WebPals has been written  using
    their original ideal.

    Through this  bug you  can see  any files  and command  execution.
    Problem lies in "pine pipe bug".  Exploit:

        http://www.victim.com/cgi-bin/pals-cgi?palsAction=restart&documentName=url_to_file
        http://www.victim.com/pals-cgi?palsAction=restart&documentName=url_to_command

SOLUTION

    Nothing yet.