[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20031007205824.24935.qmail@sf-www3-symnsj.securityfocus.com>
Date: 7 Oct 2003 20:58:24 -0000
From: <info@...ssure.com>
To: bugtraq@...urityfocus.com
Subject: PeopleSoft <Control><J> Information Disclosure
Vendor: PeopleSoft
Solution ID: 200749177
Product: People Tools
Version: 8.42, Others?
Platform: Solaris 8, BEA WebLogic, Others?
Remote/Local: Remote, Authenticated
Title: Information Gathering
Impact: Disclosure of potentially sensitive information
Description:
<Control><J> is a hot key that is used by everyone that helps in troubleshooting many issues within the PIA or Portal environment. Ever since PeopleTools 8.1x, <Control><J> allows us to see information like: Browser and its version, name of Operating System, PeopleTools version, Application type and its version, Service Pack number, current Menu name, and current Component name, current Page name, the UserID who is logging in, the name of the Database logged into, the Database platform, and the IP of the Application Server.
Although most of the information may seem to be harmless, some of the information is considered too sensitive and should not be shared with all of the user community. The following information should be hidden from the users: the UserID who is logging in, the name of the Database logged into, the Database platform, and the IP of the Application Server.
Vendor Solution:
Control - J functionality is modified by changing the following line in configuration.properties:
# If set to true, the database name and other potentially sensitive connection information
# will appear in the HTML generated for use in a help display.
# Default: true
connectionInformation=true
Setting this value to false will hide security related information from CTLR-J and HTML object PT_INFOPAGE will be displayed:
Browser IE/6.0
Operating System WINNT
Browser Compression ON (gzip)
Tools Release 8.42.01
Application Release HRMS 8.80.00.000
Service Pack 0
Page NID_LOOKUP
Component NID_LOOKUP
Menu ADMINISTER_WORKFORCE_(GBL)
If connectionInformation=true, the following HTML object PT_INFOPAGECONNECT is displayed:
Browser IE/6.0
Operating System WINNT
Browser Compression ON (gzip)
Tools Release 8.42.01
Application Release HRMS 8.80.00.000
Service Pack 0
Page NID_LOOKUP
Component NID_LOOKUP
Menu ADMINISTER_WORKFORCE_(GBL)
User ID PS
Database Name HRMS
Database Type MICROSFT
Application Server //127.0.0.1:9000
Further, the actual HTML objects can be modified to restrict display of sensitive objects. Please note that this is a customization to a delivered PeopleTools object and will require special attention when applying PeopleTools patches and upgrades.
Vendor Trail:
3 June 03 PeopleSoft contacted
3 June 03 PeopleSoft confirms
24 June 03 PeopleSoft teleconference
19 July 03 PeopleSoft posts to Customer Connection
Contributers:
Barrett McGuire
Larry Wargo
Matt Fotter
Powered by blists - more mailing lists