| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 7 Oct 2003 20:58:24 -0000 From: <info@...ssure.com> To: bugtraq@...urityfocus.com Subject: PeopleSoft <Control><J> Information Disclosure Vendor: PeopleSoft Solution ID: 200749177 Product: People Tools Version: 8.42, Others? Platform: Solaris 8, BEA WebLogic, Others? Remote/Local: Remote, Authenticated Title: Information Gathering Impact: Disclosure of potentially sensitive information Description: <Control><J> is a hot key that is used by everyone that helps in troubleshooting many issues within the PIA or Portal environment. Ever since PeopleTools 8.1x, <Control><J> allows us to see information like: Browser and its version, name of Operating System, PeopleTools version, Application type and its version, Service Pack number, current Menu name, and current Component name, current Page name, the UserID who is logging in, the name of the Database logged into, the Database platform, and the IP of the Application Server. Although most of the information may seem to be harmless, some of the information is considered too sensitive and should not be shared with all of the user community. The following information should be hidden from the users: the UserID who is logging in, the name of the Database logged into, the Database platform, and the IP of the Application Server. Vendor Solution: Control - J functionality is modified by changing the following line in configuration.properties: # If set to true, the database name and other potentially sensitive connection information # will appear in the HTML generated for use in a help display. # Default: true connectionInformation=true Setting this value to false will hide security related information from CTLR-J and HTML object PT_INFOPAGE will be displayed: Browser IE/6.0 Operating System WINNT Browser Compression ON (gzip) Tools Release 8.42.01 Application Release HRMS 8.80.00.000 Service Pack 0 Page NID_LOOKUP Component NID_LOOKUP Menu ADMINISTER_WORKFORCE_(GBL) If connectionInformation=true, the following HTML object PT_INFOPAGECONNECT is displayed: Browser IE/6.0 Operating System WINNT Browser Compression ON (gzip) Tools Release 8.42.01 Application Release HRMS 8.80.00.000 Service Pack 0 Page NID_LOOKUP Component NID_LOOKUP Menu ADMINISTER_WORKFORCE_(GBL) User ID PS Database Name HRMS Database Type MICROSFT Application Server //127.0.0.1:9000 Further, the actual HTML objects can be modified to restrict display of sensitive objects. Please note that this is a customization to a delivered PeopleTools object and will require special attention when applying PeopleTools patches and upgrades. Vendor Trail: 3 June 03 PeopleSoft contacted 3 June 03 PeopleSoft confirms 24 June 03 PeopleSoft teleconference 19 July 03 PeopleSoft posts to Customer Connection Contributers: Barrett McGuire Larry Wargo Matt Fotter
Powered by blists - more mailing lists