[NEWS] PeopleSoft LONGCHAR and VARCHAR Data Upload (DoS)

From: SecuriTeam (support_at_securiteam.com)
Date: 10/19/03

  • Next message: SecuriTeam: "[NEWS] PeopleSoft Control-J Information Disclosure" 
    To: list@securiteam.com
Date: 19 Oct 2003 18:00:33 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      PeopleSoft LONGCHAR and VARCHAR Data Upload (DoS)
    ------------------------------------------------------------------------

    SUMMARY

    PeopleSoft's LONGCHAR and VARCHAR fields allow potentially large amounts
    of data to be uploaded. These fields default to the maximum allowed size
    for their data type established on the database. This would allow
    attackers to cause a denial of service against the product.

    DETAILS

    Vulnerable systems:
     * PeopleSoft version 8.42

    Vendor Solution:
    The database can be configured to limit the size of these data types;
    however, this should be tested to assess the impact to the application.
    Consider also looking at modifying the field definitions within the
    Application. Restricting size with the field definition would prevent
    using these LONG fields to upload large amounts of data. Note that making
    any changes to the delivered application is considered a customization
    beyond the scope of the Global Support Center. Make sure and take a backup
    of the data before making such changes.

    Vendor Status:
    3 June 03 PeopleSoft contacted
    3 June 03 PeopleSoft confirms
    24 June 03 PeopleSoft teleconference
    19 July 03 PeopleSoft posts to Customer Connection

    ADDITIONAL INFORMATION

    The information has been provided by Barrett McGuire, Larry Wargo, and
    Matt Fotter.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] PeopleSoft Control-J Information Disclosure"

    Relevant Pages