A U.K.-based security consultancy warned PeopleSoft users on Thursday of serious vulnerabilities in the ERP and CRM vendor's PeopleTools development application.
Patches are available for download from PeopleSoft's support site, under security rollup vulnerability ID 20031112. Release numbers 8.18, 8.19, 8.20, 8.42 and 8.43 are affected.
Corsaire Ltd. of Surrey, England, reported the flaws in the PeopleSoft iScript component of PeopleTools as well as the PeopleBooks Search CGI application. The flaws could lead to leaks of sensitive data and system crashes, and they could enable remote access of files.
Corsaire and PeopleSoft recommend immediate patching or, at a minimum, using a firewall to block queries with sensitive strings. The application can also be disabled.
PeopleSoft iScript is a development environment that allows programmers to tailor PeopleSoft applications to an organization's needs. By sending a malicious URL to an iScript application, an attacker could pull off a cross-site scripting attack and potentially access sensitive information, like session cookies, that could contain passwords and other data. Cross-site scripting is the injection of malicious code into a hyperlink that enables an attacker to hijack another user's Web session and potentially steal whatever data is entered during that session.
The other flaw reported yesterday was in PeopleBooks, the online documentation for PeopleTools. A CGI (common gateway
Corsaire said the application accepts header-name and footer-name arguments that allow a user to select header and footer content for an HTML page. By exploiting the reported flaw, an attacker can access files outside the Web server, like configuration files that could include passwords and other sensitive data.
PeopleSoft has the following patches available on its support page: For release 8.18, patch 8.18.15; release 8.19, patch 8.19.12; release 8.20, patch 8.20.03; release 8.42, patch 8.42.14; and release 8.43, patch 8.43.11.
FOR MORE INFORMATION:
Latest security news: Visit our sister site, SearchSecurity.com