Date: 22 January 2003
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0037 -- Internet Security Systems Security Advisory
PeopleSoft XML External Entities Vulnerability
22 January 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: PeopleTools 8.1x prior to 8.19
Vendor: PeopleSoft
Impact: Access Confidential Data
Access Required: Remote
- --------------------------BEGIN INCLUDED TEXT--------------------
Internet Security Systems Security Advisory
January 20, 2003
PeopleSoft XML External Entities Vulnerability
Synopsis:
ISS X-Force has discovered a flaw in the PeopleSoft Application Messaging
Gateway. PeopleSoft enterprise software enables the management of all manner
of business functions, including human resources, customer relations, supply
chain, and finance. The PeopleSoft Application Messaging Gateway provides a
Web-based interface for PeopleSoft functionality and allows for communication
and synchronization between PeopleSoft products non-PeopleSoft products.
Impact:
The Application Messaging Gateway is configured to run by default on the
PeopleSoft Web server, and is accessible as a Java servlet. Attackers can use
an XML External Entities (XXE) attack to read any file on the vulnerable
PeopleSoft application server under the security context of the Web server
process. This attack may lead to the exposure of confidential information
stored in vulnerable PeopleSoft installations.
Affected Versions:
PeopleTools 8.1x prior to 8.19, included with most PeopleSoft installations,
including but not limited to:
PeopleSoft HCM (Human Capital Management)
PeopleSoft CRM (Customer Relationship Management)
PeopleSoft EPM (Enterprise Performance Management)
PeopleSoft FMS (Financial Management Solutions)
PeopleSoft SCM (Supply Chain Management)
PeopleSoft ESA (Enterprise Server Automation)
PeopleSoft SRM (Supplier Relationship Management)
Note: PeopleTools 8.4x is not vulnerable.
Description:
The Application Messaging Gateway can be administered via the Gateway
Administration servlet, accessible to all by default. This servlet can easily
be disabled, but most administrators do not regard it as a security risk.
The servlet can be used to add handlers, to which data sent to the gateway is
delivered. PeopleSoft includes a handler to push data out of the PeopleSoft
system, called the SimpleFileHandler.
Once this handler has been added via the gateway administration servlet, XML
data can be submitted via an HTTP POST request. When responding to a request,
certain elements of the data submitted are selected using an XML parser, and
several XML tags are returned to the remote user within the response.
It is possible to include an XML external entity within those fields, which
causes the XML parser to read arbitrary files. Data is returned to the remote
user within the response. It is also possible to cause the vulnerable servlet
to open arbitrary TCP connections.
Recommendations:
Internet Scanner X-Press Update 6.24 includes a check to assess the
vulnerability described in this advisory. XPU 6.24 is available now from the
ISS Download Center at: http://www.iss.net/download.
ISS X-Force recommends that all PeopleSoft administrators block or restrict
access to the servlets in question. X-Force also recommends that
administrators take advantage of the security mechanisms that BEA WebLogic
Servers provide to restrict access based on the requirements of users.
Administrators should examine the following configuration properties and
tune them to their individual environments. To address the issues described
in this advisory, the following servlets should be restricted within the
"weblogic.properties" file:
weblogic.httpd.register.servlets/gateway.administration=psft.pt8.config.ConfigServlet
weblogic.allow.execute.weblogic.servlet.servlets/gateway.administration=system
weblogic.httpd.register.servlets/gateway.handlers=psft.pt8.reader.ReaderServlet
weblogic.allow.execute.weblogic.servlet.servlets/gateway.handlers=system
weblogic.httpd.register.servlets/gateway=psft.pt8.gateway.GatewayServlet
weblogic.allow.execute.weblogic.servlet.servlets/gateway=system
PeopleSoft has addressed all of the issues described in this advisory in
PeopleTools 8.19, available on PeopleSoft’s Customer Connection site in
early February. As a workaround, in addition to recommendations mentioned
above, remove the SimpleFileHandler files if SimpleFileHandler is not
required by deleting the /psft/pt8/filehandler directory under the servlets
directory on the Web server.
Additional Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CAN-2002-1252 to this issue. This is a candidate for inclusion in the CVE
list http://cve.mitre.org), which standardizes names for security problems.
XXE attacks were recently described by Gregory Steuck in an advisory posted
to the BugTraq mailing list:
http://archives.neohapsis.com/archives/bugtraq/2002-10/0411.html
X-Force Database
http://www.iss.net/security_center/static/10520.php
Credit:
This vulnerability was discovered and researched by Neel Mehta of the ISS
X-Force.
______
About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.
Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email xforce@iss.net for
permission.
Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.
X-Force PGP Key available on MIT's PGP key server and PGP.com's key server,
as well as at http://www.iss.net/security_center/sensitive.php
Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPi5tDyh9+71yA2DNAQGKMQP/aKaUXJlps3OrXVFAOtnCy3URFjQdbR37
Gg8PWTUzsoAXDLq33SvMic08kKTjudG9gKw7MxAhCsJh5XmSRHgYli4X+YGsZC0u
kf/x3uOH6cTFrqupEfoeCZ+v175Sxx3UOt1TLpPm/ClLKF4haNS8DH4Ggz6usDn0
BMjNTt7mmas=
=kys+
-----END PGP SIGNATURE-----
|