Software vulnerabilities in one component of PeopleSoft's PeopleTools application framework could be used to launch attacks against a wide range of PeopleSoft installations and give attackers remote access to sensitive or confidential information.
The vulnerabilities exist in code for a small program called "SchedulerTransfer" that resides on the PeopleSoft Web server, according to an alert published by Internet Security Systems (ISS) X-Force organization.
The small program, or "servlet," is used to move PeopleSoft reports to and from a report repository on the Web server, ISS said.
Using the SchedulerTransfer servlet, report files can be transmitted using HTTP (Hypertext Transfer Protocol) or HTTPS (HTTP over Secure Socket Layer) protocols. The servlet is configured to run by default on the PeopleSoft Web server and no user authentication is necessary to access the servlet or upload report files, according to ISS.
The SchedulerTransfer code does an insufficient job of defending against what are known as "directory traversal" attacks, which allow an intruder to bypass a server's directory access lists restrictions and roam about a remote server's directory structure, ISS said.
An attacker could use a directory traversal attack to create or overwrite files on the PeopleSoft Web server outside of the directory that was specified to receive uploaded reports.
For example, attackers could replace legitimate servlets with their own versions of those files or place other programs on the Web server that would allow them to remotely execute commands and gain control of the server, ISS said.
The flaw could be used in other ways to execute commands remotely, as well, ISS said.
PeopleTools is an integrated development environment and runtime architecture that allows organizations to develop, deploy and maintain customized applications for the PeopleSoft environment.
PeopleTools and the SchedulerTransfer servlet are included with many PeopleSoft installations including the company's customer relationship management (CRM), financial management (FMS) and supply chain management (SCM) solutions, ISS said.
Compromising those systems could lead to the disclosure of confidential information or be used to compromise PeopleSoft application and database servers, ISS warned.
PeopleSoft fixed the vulnerabilities reported by ISS in PeopleTools versions 8.19 and 8.42, according to ISS.
Patches are also available in PeopleTools 8.18.06 and 8.41.05, ISS said.
For those customers who are unable to upgrade to a fixed or patched version of PeopleTools, ISS recommends disabling the SchedulerTransfer servlet.
This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.
Download now »
Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.
Download now »
The emergence of WLANs has created a new breed of security threats to enterprise networks.
Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation
Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.
Download now »
Sign up to receive Applications Resource Alerts
Recommend This
