Article

Security flaws found in PeopleSoft development app

Michael S. Mimoso, Editorial Director

A U.K.-based security consultancy warned PeopleSoft users on Thursday of serious vulnerabilities in the ERP and CRM vendor's PeopleTools development application.

Patches are available for download from PeopleSoft's support site, under security rollup vulnerability ID 20031112. Release numbers 8.18, 8.19, 8.20, 8.42 and 8.43 are affected.

Corsaire Ltd. of Surrey, England, reported the flaws in the PeopleSoft iScript component of PeopleTools as well as the PeopleBooks Search CGI application. The flaws could lead to leaks of sensitive data and system crashes, and they could enable remote access of files.

Corsaire and PeopleSoft recommend immediate patching or, at a minimum, using a firewall to block queries with sensitive strings. The application can also be disabled.

PeopleSoft iScript is a development environment that allows programmers to tailor PeopleSoft applications to an organization's needs. By sending a malicious URL to an iScript application, an attacker could pull off a cross-site scripting attack and potentially access sensitive information, like session cookies, that could contain passwords and other data. Cross-site scripting is the injection of malicious code into a hyperlink that enables an attacker to hijack another user's Web session and potentially steal whatever data is entered during that session.

The other flaw reported yesterday was in PeopleBooks, the online documentation for PeopleTools. A CGI (common gateway

    Requires Free Membership to View

interface) search application (psdoccgi.exe) is installed by default with PeopleTools. Attributes passed into the CGI application allow specification of a server-side patch, Corsaire said. Specific path values could allow an outsider to access files or cause a denial-of-service condition on the host Web server.

Corsaire said the application accepts header-name and footer-name arguments that allow a user to select header and footer content for an HTML page. By exploiting the reported flaw, an attacker can access files outside the Web server, like configuration files that could include passwords and other sensitive data.

PeopleSoft has the following patches available on its support page: For release 8.18, patch 8.18.15; release 8.19, patch 8.19.12; release 8.20, patch 8.20.03; release 8.42, patch 8.42.14; and release 8.43, patch 8.43.11.

FOR MORE INFORMATION:

Latest security news: Visit our sister site, SearchSecurity.com


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: