lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20031007205824.24935.qmail@sf-www3-symnsj.securityfocus.com>
Date: 7 Oct 2003 20:58:24 -0000
From: <info@...ssure.com>
To: bugtraq@...urityfocus.com
Subject: PeopleSoft <Control><J> Information Disclosure




Vendor:        		PeopleSoft
Solution ID:		200749177
Product:       		People Tools
Version:       		8.42, Others? 
Platform:      		Solaris 8, BEA WebLogic, Others?
Remote/Local:  		Remote, Authenticated
Title:         		Information Gathering
Impact:        		Disclosure of potentially sensitive information


Description:		
<Control><J> is a hot key that is used by everyone that helps in troubleshooting many issues within the PIA or Portal environment. Ever since PeopleTools 8.1x, <Control><J> allows us to see information like: Browser and its version, name of Operating System, PeopleTools version, Application type and its version, Service Pack number, current Menu name, and current Component name, current Page name, the UserID who is logging in, the name of the Database logged into, the Database platform, and the IP of the Application Server.

Although most of the information may seem to be harmless, some of the information is considered too sensitive and should not be shared with all of the user community. The following information should	be hidden from the users: the UserID who is logging in, the name of the Database logged into, the Database platform, and the IP of the Application Server.


Vendor Solution:	
Control - J functionality is modified by changing the following line in configuration.properties:

# If set to true, the database name and other potentially sensitive connection information
# will appear in the HTML generated for use in a help display.
# Default: true
connectionInformation=true

Setting this value to false will hide security related information from CTLR-J and HTML object PT_INFOPAGE will be displayed:

Browser IE/6.0
Operating System WINNT
Browser Compression ON (gzip)
Tools Release 8.42.01
Application Release HRMS 8.80.00.000
Service Pack 0
Page NID_LOOKUP
Component NID_LOOKUP
Menu ADMINISTER_WORKFORCE_(GBL)

If connectionInformation=true, the following HTML object PT_INFOPAGECONNECT is displayed:

Browser IE/6.0
Operating System WINNT
Browser Compression ON (gzip)
Tools Release 8.42.01
Application Release HRMS 8.80.00.000
Service Pack 0
Page NID_LOOKUP
Component NID_LOOKUP
Menu ADMINISTER_WORKFORCE_(GBL)
User ID PS
Database Name HRMS
Database Type MICROSFT
Application Server //127.0.0.1:9000

Further, the actual HTML objects can be modified to restrict display of sensitive objects. Please note that this is a customization to a delivered PeopleTools object and will require special attention when applying PeopleTools patches and upgrades.


Vendor Trail:  		
3 June 03 	PeopleSoft contacted
3 June 03 	PeopleSoft confirms
24 June 03	PeopleSoft teleconference
19 July 03	PeopleSoft posts to Customer Connection
			

Contributers:
  		
Barrett McGuire 
Larry Wargo
Matt Fotter


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ