Software vulnerabilities in a component of PeopleSoft's PeopleTools application framework could be used to launch attacks against a wide range of PeopleSoft installations and give attackers remote access to sensitive or confidential information.
Internet Security Systems' (ISS) X-Force organisation said the vulnerabilities existed in code for a small program called "SchedulerTransfer" that resides on the PeopleSoft web server.
The small program, or "servlet", is used to move PeopleSoft reports to and from a report repository on the web server.
Using the SchedulerTransfer servlet, report files can be transmitted using HTTP (Hypertext Transfer Protocol) or HTTPS (HTTP over Secure Socket Layer) protocols. The servlet is configured to run by default on the PeopleSoft web server and no user authentication is necessary to access the servlet or upload report files, according to ISS.
The SchedulerTransfer code does an insufficient job of defending against what are known as "directory traversal" attacks, which allow an intruder to bypass a server's directory access lists restrictions and roam about a remote server's directory structure.
An attacker could use a directory traversal attack to create or overwrite files on the PeopleSoft web server outside of the directory that was specified to receive uploaded reports.
For example, attackers could replace legitimate servlets with their own versions of those files or place other programs on the web server that would allow them to remotely execute commands and gain control of the server. The flaw could also be used in other ways to execute commands remotely,.
PeopleTools is an integrated development environment and runtime architecture that allows organisations to develop, deploy and maintain customised applications for the PeopleSoft environment.
PeopleTools and the SchedulerTransfer servlet are included with many PeopleSoft installations including the company's customer relationship management (CRM), financial management (FMS) and supply chain management (SCM) solutions.
Compromising those systems could lead to the disclosure of confidential information or be used to compromise PeopleSoft application and database servers.
PeopleSoft fixed the vulnerabilities reported by ISS in PeopleTools versions 8.19 and 8.42, and patches are also available in PeopleTools 8.18.06 and 8.41.05.
For those customers who are unable to upgrade to a fixed or patched version of PeopleTools, ISS recommended disabling the SchedulerTransfer servlet.