PeopleSoft SchedulerTransfer servlet can be used to create and overwrite files
| peoplesoft-schedulertransfer-create-files (10962) |  High Risk |
Description:
PeopleSoft PeopleTools could allow a remote attacker to overwrite or create files on the system, caused by a vulnerability in the SchedulerTransfer Servlet, which is installed by default. A remote attacker could exploit this vulnerability to overwrite any known servlet or create arbitrary servlets on the system, if the attacker could determine the absolute path to the targeted servlet or the servlet directory. This attack could result in complete compromise of PeopleSoft Web Server installations.
Platforms Affected:
- Oracle, PeopleSoft PeopleTools 8.10
- Oracle, PeopleSoft PeopleTools 8.11
- Oracle, PeopleSoft PeopleTools 8.12
- Oracle, PeopleSoft PeopleTools 8.13
- Oracle, PeopleSoft PeopleTools 8.14
- Oracle, PeopleSoft PeopleTools 8.15
- Oracle, PeopleSoft PeopleTools 8.16
- Oracle, PeopleSoft PeopleTools 8.17
- Oracle, PeopleSoft PeopleTools 8.18
- Oracle, PeopleSoft PeopleTools 8.40
- Oracle, PeopleSoft PeopleTools 8.41
Remedy:
Enable the following checks in the ISS Protection Platform:
HTTP_POST_PeopleSoft_Traversal
Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port configured on install
For Manual Protection:
Upgrade to the latest version of PeopleTools (8.19 or later) or (8.42 or later), available from PeopleSofts Customer Connection Web site.
—OR—
Apply the appropriate patch for your system (8.18.06 or 8.41.05), available from PeopleSofts Customer Connection Web site. See References.
As a workaround, PeopleSoft administrators should either block or restrict access to the SchedulerTransfer servlet. In addition, administrators should take advantage of the security mechanisms that BEA WebLogic and IBM WebSphere Servers provide to restrict access based on the requirements of users.
Administrators should examine the following configuration properties and tune them to their individual environments. To remove this vulnerability, the following servlets should be restricted within the weblogic.properties file or from the WebSphere administration console:
In a WebLogic installation within "weblogic.properties":
weblogic.httpd.register.servlets/SchedulerTransfer=SchedulerTransfer
weblogic.allow.execute.weblogic.servlet.servlets/SchedulerTransfer=system
In a WebSphere installation:
Restrict access to the SchedulerTransfer servlet from within the "Configure Application Security" menu.
Consequences:
Gain Access
References:
- CIAC Information Bulletin N-052, PeopleSoft PeopleTools Remote Command Execution Vulnerability at http://www.ciac.org/ciac/bulletins/n-052.shtml.
- Internet Security Systems Security Advisory, March 10, 2003, PeopleSoft PeopleTools Remote Command Execution Vulnerability at http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21999.
- PeopleSoft Customer Connection Web site, PeopleSoft Website Login Page at http://www4.peoplesoft.com/cchomepage.nsf.
- BID-7053: PeopleSoft PeopleTools SchedulerTransfer Remote Command Execution Vulnerability
- CVE-2003-0104: Directory traversal vulnerability in PeopleTools 8.10 through 8.18, 8.40, and 8.41 allows remote attackers to overwrite arbitrary files via the SchedulerTransfer servlet.
Reported:
Mar 10, 2003
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net