Published:
27 September 2004
Protect yourself against future threats.
AusCERT has been in contact with a representative from PeopleSoft who has provided information clarifying the scope of the vulnerability. Please take this into consideration when viewing the following bulletin. PeopleSoft customers can obtain more information through the normal "Customer Connect" web site and processes. ==Begin PeopleSoft Statement== Default HRMS version 7 (or any other version for that matter) are NOT at risk to this possible vulnerability. ONLY implementations that include our ESS product for HRMS 7 have any possible exposure to this possible vulnerability Furthermore, ONLY implementations of ESS on HRMS 7 modified to be "web enabled" using HTML Access are likely to be at any risk to this possible vulnerability. ==End PeopleSoft Statement== -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AA-2004.003 AUSCERT Advisory PeopleSoft Human Resources Management System (HRMS) version 7 cross site scripting 28 September 2004 Last Revised: -- - --------------------------------------------------------------------------- AusCERT Alert Summary --------------------- Product: PeopleSoft HRMS 7 Operating System: IBM i/OS IBM OS/400 IBM AIX HP-UX Solaris Windows Linux variants Impact: Execute Arbitrary Code/Commands Access Confidential Data Access: Remote/Unauthenticated AusCERT has received information regarding a vulnerability in PeopleSoft Human Resources Management System (HRMS) version 7. This vulnerability may allow unauthenticated remote users to execute arbitrary code and gain unauthorised access to confidential data within the PeopleSoft HRMS system. AusCERT recommends that sites running PeopleSoft HRMS version 7 evaluate their exposure and consider taking the steps outlined in section 3. - --------------------------------------------------------------------------- 1. Description PeopleSoft Human Resources Management System (HRMS) is used to manage employee data and workflow. It is used widely in educational institutions and large corporations to manage employee personal data, sometimes including payroll. Default PeopleSoft HRMS 7 installations may contain some debugging and utility scripts. Such installations may be vulnerable to cross site scripting attacks and further exploitation until these scripts are removed. This removal requires editing of some original scripts and may not have occurred on all installations. Currently there are no vendor patches available that address these vulnerabilities. AusCERT recommends that official vendor patches be installed when they become available. 2. Impact Default installations of PeopleSoft HRMS 7 contain scripts that may be used by a remote un-authenticated attacker to rewrite and add content to the main logon page of HRMS. This could include JavaScript code which, for example, would allow for the capture of user credentials being entered into that page. The scripts also allow a remote authenticated attacker to masquerade as any user. 3. Workarounds/Mitigation The following strategies can assist in mitigating the risk posed by this vulnerability: o Remove the line referencing utils from the file user/components/header.htm and remove the utils directory/folder completely. In some installations these scripts are duplicated in "/hrtest" or similar, and references to utils should be removed from there as well. o Remove the file: user/ASP/HA_DIRECT_DEP_DTL/HA_DIRECT_DEP_DTL_save.asp (the script may be named differently on non-Australian sites). - --------------------------------------------------------------------------- AusCERT would like to thank Paul Szabo of the School of Mathematics and Statistics, University of Sydney for the information contained in this advisory. - --------------------------------------------------------------------------- AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQVjDpSh9+71yA2DNAQJ6VwP/evi7pgQJZTZVNT/YYpBy9K2n9BaH+5rK 23ix0e4P1c/gRtOcNSfOTUzwf4FlS6kdpTliqYanUs0VsOCTJwjp4GM6sme6lIjd SW4UuLB9Ig7XmNbuMUdqN8uo0sHpHCuII1ljof4tqVsYMISSQ4BpPyaoIfQC8DXL 8izC1yp0yJw= =8KPo -----END PGP SIGNATURE-----