Security alert posted for PeopleSoft

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1009-991907.html?tag=fd_top

By Alorie Gilbert 
Staff Writer, CNET News.com
March 10, 2003, 4:30 PM PT

A serious security flaw in business management software from
PeopleSoft leaves sensitive corporate data vulnerable to hackers, a
computer security service firm warned Monday.

The flaw, known as a remote command execution vulnerability, gives
outsiders the ability to install malicious computer code on PeopleSoft
customers' Web servers, potentially leading to a "complete compromise"  
of their PeopleSoft business systems, according to Internet Security
Systems (ISS), the Atlanta-based computer security company that issued
the warning.

"Compromise of PeopleSoft Web server installations may disclose
critical confidential information and facilitate the compromise of
PeopleSoft application and database back-end servers," stated the ISS
advisory.

Pleasanton, Calif.-based PeopleSoft supplies software designed to
streamline accounting, human resources, sales and manufacturing
activities to more than 5,000 companies around the world. The flaw
affects only certain releases of PeopleSoft version 8, which the
company began shipping in 2000. Nearly 2,000 companies have installed
version 8, according to PeopleSoft spokesman Steve Swasey. He
declined, however, to comment on how many of those customers could be
affected by the vulnerability.

The flawed software, which is configured to run by default, affects
numerous versions of a core component of its applications called
PeopleSoft Tools, including versions 8.4, 8.41 and 8.10 through 8.18.  
Specifically, the problem pertains to a small Java program, known as a
"servlet," that resides on PeopleSoft Web servers and can be used to
upload files without any authentication. The purpose of the servlet,
according to PeopleSoft, is to transfer business reports between
servers using Internet protocols such as HTTP (hypertext transfer
protocol).

PeopleSoft released patches to correct the problem several weeks ago,
Swasey said. The patches and details about the vulnerability are
available on the company's private Web site for PeopleSoft customers
as well as through ISS. PeopleSoft has yet to hear of any problems
related to the security flaw, Swasey added. An ISS spokesman also said
the flaw had not yet been exploited, as far as he knew.

PeopleSoft touts version 8 of its applications as a major advancement
of its technology because of its use of Internet protocols. PeopleSoft
competitors SAP, Siebel Systems and Oracle have also released software
designed to run over the Web.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.