Software vulnerabilities in one component of PeopleSoft's PeopleTools application framework could be used to launch attacks against a wide range of PeopleSoft installations and give attackers remote access to sensitive or confidential information.
The vulnerabilities exist in code for a small program called "SchedulerTransfer" that resides on the PeopleSoft Web server, according to an alert published by Internet Security Systems (ISS) X-Force organization.
The small program, or "servlet," is used to move PeopleSoft reports to and from a report repository on the Web server, ISS said.
Using the SchedulerTransfer servlet, report files can be transmitted using HTTP (Hypertext Transfer Protocol) or HTTPS (HTTP over Secure Socket Layer) protocols. The servlet is configured to run by default on the PeopleSoft Web server and no user authentication is necessary to access the servlet or upload report files, according to ISS.
The SchedulerTransfer code does an insufficient job of defending against what are known as "directory traversal" attacks, which allow an intruder to bypass a server's directory access lists restrictions and roam about a remote server's directory structure, ISS said.
An attacker could use a directory traversal attack to create or overwrite files on the PeopleSoft Web server outside of the directory that was specified to receive uploaded reports.
For example, attackers could replace legitimate servlets with their own versions of those files or place other programs on the Web server that would allow them to remotely execute commands and gain control of the server, ISS said.
The flaw could be used in other ways to execute commands remotely, as well, ISS said.
PeopleTools is an integrated development environment and runtime architecture that allows organizations to develop, deploy and maintain customized applications for the PeopleSoft environment.
PeopleTools and the SchedulerTransfer servlet are included with many PeopleSoft installations including the company's customer relationship management (CRM), financial management (FMS) and supply chain management (SCM) solutions, ISS said.
Compromising those systems could lead to the disclosure of confidential information or be used to compromise PeopleSoft application and database servers, ISS warned.
PeopleSoft fixed the vulnerabilities reported by ISS in PeopleTools versions 8.19 and 8.42, according to ISS.
Patches are also available in PeopleTools 8.18.06 and 8.41.05, ISS said.
For those customers who are unable to upgrade to a fixed or patched version of PeopleTools, ISS recommends disabling the SchedulerTransfer servlet.
Get the independent advice and expertise you need to support a virtual workforce.
The increase in Linux popularity has increased the frequency and sophistication of malware attacks. Read this 2 page white paper now to learn how you can protect your Linux environment with real-time protection that is certified by all major Linux vendors.
Download now »Ensuring acceptable application delivery will become even more difficult over the next few years. As a result, IT organizations need to ensure that the approach that they take to resolving the current application delivery challenges can scale to support the emerging challenges. This handbook elaborates on the key tasks associated with planning, optimization, management and control and provides decision criteria to help IT organizations choose appropriate solutions.
Download now »A common misconception is that mid-range storage requirements are dramatically different than that of a larger enterprise. Mid-range storage users may require less capacity, but they have similar functionality and management requirements. This ESG paper examines mid-range storage needs and reviews a new solution that adjusts size while retaining value, performance and functionality.
Download now »
