PeopleSoft's LONGCHAR and VARCHAR fields allow potentially large amounts of data to be uploaded. These fields default to the maximum allowed size for their data type established on the database. This would allow attackers to cause a denial of service against the product.
Credit:
The information has been provided by Barrett McGuire, Larry Wargo, and Matt Fotter.
Vendor Solution:
The database can be configured to limit the size of these data types; however, this should be tested to assess the impact to the application. Consider also looking at modifying the field definitions within the Application. Restricting size with the field definition would prevent using these LONG fields to upload large amounts of data. Note that making any changes to the delivered application is considered a customization beyond the scope of the Global Support Center. Make sure and take a backup of the data before making such changes.
Vendor Status:
3 June 03 PeopleSoft contacted
3 June 03 PeopleSoft confirms
24 June 03 PeopleSoft teleconference
19 July 03 PeopleSoft posts to Customer Connection
