[NEWS] PeopleSoft LONGCHAR and VARCHAR Data Upload (DoS)
From: SecuriTeam (support_at_securiteam.com)
Date: 10/19/03
- Previous message: SecuriTeam: "[NEWS] Linksys EtherFast Router Denial of Service Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 19 Oct 2003 18:00:33 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
PeopleSoft LONGCHAR and VARCHAR Data Upload (DoS)
------------------------------------------------------------------------
SUMMARY
PeopleSoft's LONGCHAR and VARCHAR fields allow potentially large amounts
of data to be uploaded. These fields default to the maximum allowed size
for their data type established on the database. This would allow
attackers to cause a denial of service against the product.
DETAILS
Vulnerable systems:
* PeopleSoft version 8.42
Vendor Solution:
The database can be configured to limit the size of these data types;
however, this should be tested to assess the impact to the application.
Consider also looking at modifying the field definitions within the
Application. Restricting size with the field definition would prevent
using these LONG fields to upload large amounts of data. Note that making
any changes to the delivered application is considered a customization
beyond the scope of the Global Support Center. Make sure and take a backup
of the data before making such changes.
Vendor Status:
3 June 03 PeopleSoft contacted
3 June 03 PeopleSoft confirms
24 June 03 PeopleSoft teleconference
19 July 03 PeopleSoft posts to Customer Connection
ADDITIONAL INFORMATION
The information has been provided by Barrett McGuire, Larry Wargo, and
Matt Fotter.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Linksys EtherFast Router Denial of Service Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
