Published:
27 September 2004
Protect yourself against future threats.
AusCERT has been in contact with a representative from PeopleSoft who has
provided information clarifying the scope of the vulnerability. Please take
this into consideration when viewing the following bulletin.
PeopleSoft customers can obtain more information through the normal
"Customer Connect" web site and processes.
==Begin PeopleSoft Statement==
Default HRMS version 7 (or any other version for that matter) are NOT at
risk to this possible vulnerability.
ONLY implementations that include our ESS product for HRMS 7 have any
possible exposure to this possible vulnerability
Furthermore, ONLY implementations of ESS on HRMS 7 modified to be "web
enabled" using HTML Access are likely to be at any risk to this possible
vulnerability.
==End PeopleSoft Statement==
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2004.003 AUSCERT Advisory
PeopleSoft Human Resources Management System (HRMS) version 7
cross site scripting
28 September 2004
Last Revised: --
- ---------------------------------------------------------------------------
AusCERT Alert Summary
---------------------
Product: PeopleSoft HRMS 7
Operating System: IBM i/OS
IBM OS/400
IBM AIX
HP-UX
Solaris
Windows
Linux variants
Impact: Execute Arbitrary Code/Commands
Access Confidential Data
Access: Remote/Unauthenticated
AusCERT has received information regarding a vulnerability in PeopleSoft
Human Resources Management System (HRMS) version 7.
This vulnerability may allow unauthenticated remote users to execute arbitrary
code and gain unauthorised access to confidential data within the PeopleSoft
HRMS system. AusCERT recommends that sites running PeopleSoft HRMS version 7
evaluate their exposure and consider taking the steps outlined in section 3.
- ---------------------------------------------------------------------------
1. Description
PeopleSoft Human Resources Management System (HRMS) is used to manage
employee data and workflow. It is used widely in educational institutions
and large corporations to manage employee personal data, sometimes
including payroll.
Default PeopleSoft HRMS 7 installations may contain some debugging and
utility scripts. Such installations may be vulnerable to cross site
scripting attacks and further exploitation until these scripts are
removed. This removal requires editing of some original scripts and may
not have occurred on all installations.
Currently there are no vendor patches available that address these
vulnerabilities. AusCERT recommends that official vendor patches be
installed when they become available.
2. Impact
Default installations of PeopleSoft HRMS 7 contain scripts that may be
used by a remote un-authenticated attacker to rewrite and add content to
the main logon page of HRMS. This could include JavaScript code which,
for example, would allow for the capture of user credentials being
entered into that page. The scripts also allow a remote authenticated
attacker to masquerade as any user.
3. Workarounds/Mitigation
The following strategies can assist in mitigating the risk posed by this
vulnerability:
o Remove the line referencing utils from the file
user/components/header.htm
and remove the utils directory/folder completely. In some
installations these scripts are duplicated in "/hrtest" or similar,
and references to utils should be removed from there as well.
o Remove the file:
user/ASP/HA_DIRECT_DEP_DTL/HA_DIRECT_DEP_DTL_save.asp
(the script may be named differently on non-Australian sites).
- ---------------------------------------------------------------------------
AusCERT would like to thank Paul Szabo of the School of Mathematics and
Statistics, University of Sydney for the information contained in this
advisory.
- ---------------------------------------------------------------------------
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQVjDpSh9+71yA2DNAQJ6VwP/evi7pgQJZTZVNT/YYpBy9K2n9BaH+5rK
23ix0e4P1c/gRtOcNSfOTUzwf4FlS6kdpTliqYanUs0VsOCTJwjp4GM6sme6lIjd
SW4UuLB9Ig7XmNbuMUdqN8uo0sHpHCuII1ljof4tqVsYMISSQ4BpPyaoIfQC8DXL
8izC1yp0yJw=
=8KPo
-----END PGP SIGNATURE-----