|
|
|
|
| |
| A vulnerability in PeopleSoft's People Tools allows users to download data that was generated by other users, this is due to the fact that XLS based data can be stored by the server that is accessible to anyone (when a user enables "Grid Option"). |
| |
Credit:
The information has been provided by Barrett McGuire, Larry Wargo, and Matt Fotter of I-Assure.
|
| |
Vulnerable systems:
* People Tools version 8.42
PeopleTools has a "grid" option, which allows a user to save a search to an .xls file. The .xls file is displayed in the local browser, allowing a user to do a "Save As" to save to local hard drive. The output file is also saved as a temporarily resident copy on the web server without restrictions.
Any user, without authenticating, can browse to the direct URL location and access the file. The file appears to stay in this location for approximately 5 minutes before you get the '404 File not found' error.
The application makes the file available by storing it on the web server for a period of time that is hard coded into the java servlet. The file is stored in a directory with a random name, however, the random directory name could be determined using automated tools, and since the file itself is not secured, it is potentially accessible by unauthorized users.
Vendor Solution:
Attached to this solution (download from PeopleSoft Solution ID: 200749183) is a script to make the download to Excel buttons invisible. The script is for Microsoft SQL Server, if you are on a different Database platform, you will have to make the necessary changes to the script.
NOTE: The script is NOT designed to make it easy for you to return to your prior state after the script has been applied. Additionally, this script is provided as a convenience, and is not supported by GSC.
PLEASE REMEMBER, this is considered a customization beyond the scope of the Global Support Center. We are delivering a script that works in Microsoft SQL Server with no plans to create different scripts for the different Database platforms.
Vendor Timeline:
3 June 03 PeopleSoft contacted
3 June 03 PeopleSoft confirms
24 June 03 PeopleSoft teleconference
19 July 03 PeopleSoft posts to Customer Connection
|
|
|
|
|
|
|
|
|
|
