[NEWS] PeopleSoft Control-J Information Disclosure

• Previous message: SecuriTeam: "[NEWS] PeopleSoft LONGCHAR and VARCHAR Data Upload (DoS)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 19 Oct 2003 17:56:59 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  PeopleSoft Control-J Information Disclosure
------------------------------------------------------------------------

SUMMARY

<Control><J> is a hot key that is used by everyone that helps in
troubleshooting many issues within the PIA or Portal environment. Ever
since PeopleTools 8.1x, <Control><J> allows us to see information like:
Browser and its version, name of Operating System, PeopleTools version,
Application type and its version, Service Pack number, current Menu name,
and current Component name, current Page name, the UserID who is logging
in, the name of the Database logged into, the Database platform, and the
IP of the Application Server".

Although most of the information may seem to be harmless, some of the
information is considered too sensitive and should not be shared with all
of the user community. The following information should be hidden from the
users: the UserID who is logging in, the name of the Database logged into,
the Database platform, and the IP of the Application Server.

DETAILS

Vulnerable systems:
 * PeopleSoft version 8.42

Vendor Solution:
Control - J functionality is modified by changing the following line in
configuration.properties:

# If set to true, the database name and other potentially sensitive
connection information
# will appear in the HTML generated for use in a help display.
# Default: true

connectionInformation=true

Setting this value to false will hide security related information from
CTLR-J and HTML object PT_INFOPAGE will be displayed:
Browser IE/6.0
Operating System WINNT
Browser Compression ON (gzip)
Tools Release 8.42.01
Application Release HRMS 8.80.00.000
Service Pack 0
Page NID_LOOKUP
Component NID_LOOKUP
Menu ADMINISTER_WORKFORCE_(GBL)

If connectionInformation=true, the following HTML object
PT_INFOPAGECONNECT is displayed:
Browser IE/6.0
Operating System WINNT
Browser Compression ON (gzip)
Tools Release 8.42.01
Application Release HRMS 8.80.00.000
Service Pack 0
Page NID_LOOKUP
Component NID_LOOKUP
Menu ADMINISTER_WORKFORCE_(GBL)
User ID PS
Database Name HRMS
Database Type MICROSFT
Application Server //127.0.0.1:9000

Further, the actual HTML objects can be modified to restrict display of
sensitive objects. Please note that this is a customization to a delivered
PeopleTools object and will require special attention when applying
PeopleTools patches and upgrades.

Vendor status:
3 June 03 PeopleSoft contacted
3 June 03 PeopleSoft confirms
24 June 03 PeopleSoft teleconference
19 July 03 PeopleSoft posts to Customer Connection

ADDITIONAL INFORMATION

The information has been provided by Barrett McGuire, Larry Wargo, and
Matt Fotter.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] PeopleSoft LONGCHAR and VARCHAR Data Upload (DoS)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]