Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

PeopleSoft Grid Option Vulnerability

From: <info () i-assure com>
Date: 7 Oct 2003 16:41:00 -0000


Vendor:                 PeopleSoft
PS Solution ID:         200749183
Product:                People Tools
Version:                8.42 
Platform:               Solaris 8, BEA WebLogic, Others?
Remote/Local:           Remote, Unauthenticated
Title:                  File Availability
Impact:                 Data accessible by Everyone.

Description:            
PeopleTools 8.42 has a "grid" option, which allows a user to save a search to an .xls file. The .xls file is displayed 
in the local browser, allowing a user to do a "Save As" to save to local hard drive. The output file is also saved as a 
temporarily-resident copy on the web server without restrictions.

Any user, without authenticating, can browse to the direct URL location and access the file. The file appears to stay 
in this location for approximately 5 minutes before you get the '404 File not found' error.

The application makes the file available by storing it on the webserver for a period of time that is hard coded into 
the java servlet. The file is stored in a directory with a random name, however, the random directory name could be 
determined using automated tools and since the file itself is not secured, it is potentially accessible by unauthorized 
users.


Vendor Solution:        
Attached to this solution (download from PeopleSoft--see above Solution ID) is a script to make the download to Excel 
buttons invisible. The script is for Microsoft SQL Server, if you are on a different Database platform, you will have 
to make the necessary changes to the script.

NOTE: The script is NOT designed to make it easy for you to return to your prior state after the script has been 
applied. Additionally, this script is provided as a convenience, and is not supported by GSC.

PLEASE REMEMBER, this is considered to be a customization beyond the scope of the Global Support Center. We are 
delivering a script that works in Microsoft SQL Server with no plans to create different scripts for the different 
Database platforms.

Vendor Trail:           
3 June 03       PeopleSoft contacted
3 June 03       PeopleSoft confirms
24 June 03      PeopleSoft teleconference
19 July 03      PeopleSoft posts to Customer Connection


Contributers:           
Barrett McGuire
Larry Wargo
Matt Fotter
Previous By Date Next
Previous By Thread Next

Current thread: