Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PeopleSoft Human Resources Management System (HRMS) Input Validation Holes Let Remote Users Conduct Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1011433
|
|
SecurityTracker URL: http://securitytracker.com/id?1011433
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 28 2004
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Version(s): 7
|
Description: An input validation vulnerability was reported in PeopleSoft Human Resources Management System (HRMS). A remote user can conduct cross-site scripting attacks.
AUSCERT reported that a remote user can exploit a cross-site scripting flaw in the default HRMS configuration to gain unauthorized
access to confidential data within the target PeopleSoft HRMS system. The flaws reside in some debugging and utility scripts that
are included in the default installation.
A remote user can create a specially crafted input that, when loaded by a target user,
will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the
HRMS software and will run in the security context of that site. As a result, the code will be able to access the target user's
cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user
via web form to the site, or take actions on the site acting as the target user.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
HRMS software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as
the target user.
|
Solution: No solution was available at the time of this entry.
AUSCERT indicates that, as a workaround, you can:
1) Remove the line referencing
utils from the file 'user/components/header.htm' and remove the utils directory/folder completely. The same scripts may also be
installed in '/hrtest' or a similarly named directory and must also be removed from that directory.
2) Remove the file 'user/ASP/HA_DIRECT_DEP_DTL/HA_DIRECT_DEP_DTL_sa
ve.asp', which may have a different name in some installations.
|
Vendor URL: www.peoplesoft.com/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), OS/400, UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 28 Sep 2004 00:05:51 -0400
Subject: [none]
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2004.003 AUSCERT Advisory
PeopleSoft Human Resources Management System (HRMS) version 7
cross site scripting
28 September 2004
Last Revised: --
- ---------------------------------------------------------------------------
AusCERT Alert Summary
---------------------
Product: PeopleSoft HRMS 7
Operating System: IBM i/OS
IBM OS/400
IBM AIX
HP-UX
Solaris
Windows
Linux variants
Impact: Execute Arbitrary Code/Commands
Access Confidential Data
Access: Remote/Unauthenticated
AusCERT has received information regarding a vulnerability in PeopleSoft
Human Resources Management System (HRMS) version 7.
This vulnerability may allow unauthenticated remote users to execute arbitrary
code and gain unauthorised access to confidential data within the PeopleSoft
HRMS system. AusCERT recommends that sites running PeopleSoft HRMS version 7
evaluate their exposure and consider taking the steps outlined in section 3.
- ---------------------------------------------------------------------------
1. Description
PeopleSoft Human Resources Management System (HRMS) is used to manage
employee data and workflow. It is used widely in educational institutions
and large corporations to manage employee personal data, sometimes
including payroll.
Default PeopleSoft HRMS 7 installations may contain some debugging and
utility scripts. Such installations may be vulnerable to cross site
scripting attacks and further exploitation until these scripts are
removed. This removal requires editing of some original scripts and may
not have occurred on all installations.
Currently there are no vendor patches available that address these
vulnerabilities. AusCERT recommends that official vendor patches be
installed when they become available.
2. Impact
Default installations of PeopleSoft HRMS 7 contain scripts that may be
used by a remote un-authenticated attacker to rewrite and add content to
the main logon page of HRMS. This could include JavaScript code which,
for example, would allow for the capture of user credentials being
entered into that page. The scripts also allow a remote authenticated
attacker to masquerade as any user.
3. Workarounds/Mitigation
The following strategies can assist in mitigating the risk posed by this
vulnerability:
o Remove the line referencing utils from the file
user/components/header.htm
and remove the utils directory/folder completely. In some
installations these scripts are duplicated in "/hrtest" or similar,
and references to utils should be removed from there as well.
o Remove the file:
user/ASP/HA_DIRECT_DEP_DTL/HA_DIRECT_DEP_DTL_save.asp
(the script may be named differently on non-Australian sites).
- ---------------------------------------------------------------------------
AusCERT would like to thank Paul Szabo of the School of Mathematics and
Statistics, University of Sydney for the information contained in this
advisory.
- ---------------------------------------------------------------------------
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQVjDpSh9+71yA2DNAQJ6VwP/evi7pgQJZTZVNT/YYpBy9K2n9BaH+5rK
23ix0e4P1c/gRtOcNSfOTUzwf4FlS6kdpTliqYanUs0VsOCTJwjp4GM6sme6lIjd
SW4UuLB9Ig7XmNbuMUdqN8uo0sHpHCuII1ljof4tqVsYMISSQ4BpPyaoIfQC8DXL
8izC1yp0yJw=
=8KPo
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
