PeopleSoft <Control><J> Information Disclosure
Vendor: PeopleSoft
Solution ID: 200749177
Product: People Tools
Version: 8.42, Others?
Platform: Solaris 8, BEA WebLogic, Others?
Remote/Local: Remote, Authenticated
Title: Information Gathering
Impact: Disclosure of potentially sensitive information
Description:
<Control><J> is a hot key that is used by everyone that helps in
troubleshooting many issues within the PIA or Portal environment. Ever since
PeopleTools 8.1x, <Control><J> allows us to see information like: Browser and
its version, name of Operating System, PeopleTools version, Application type
and its version, Service Pack number, current Menu name, and current Component
name, current Page name, the UserID who is logging in, the name of the Database
logged into, the Database platform, and the IP of the Application Server.
Although most of the information may seem to be harmless, some of the
information is considered too sensitive and should not be shared with all of
the user community. The following information should be hidden from the users:
the UserID who is logging in, the name of the Database logged into, the
Database platform, and the IP of the Application Server.
Vendor Solution:
Control - J functionality is modified by changing the following line in
configuration.properties:
# If set to true, the database name and other potentially sensitive connection
information
# will appear in the HTML generated for use in a help display.
# Default: true
connectionInformation=true
Setting this value to false will hide security related information from CTLR-J
and HTML object PT_INFOPAGE will be displayed:
Browser IE/6.0
Operating System WINNT
Browser Compression ON (gzip)
Tools Release 8.42.01
Application Release HRMS 8.80.00.000
Service Pack 0
Page NID_LOOKUP
Component NID_LOOKUP
Menu ADMINISTER_WORKFORCE_(GBL)
If connectionInformation=true, the following HTML object PT_INFOPAGECONNECT is
displayed:
Browser IE/6.0
Operating System WINNT
Browser Compression ON (gzip)
Tools Release 8.42.01
Application Release HRMS 8.80.00.000
Service Pack 0
Page NID_LOOKUP
Component NID_LOOKUP
Menu ADMINISTER_WORKFORCE_(GBL)
User ID PS
Database Name HRMS
Database Type MICROSFT
Application Server //127.0.0.1:9000
Further, the actual HTML objects can be modified to restrict display of
sensitive objects. Please note that this is a customization to a delivered
PeopleTools object and will require special attention when applying PeopleTools
patches and upgrades.
Vendor Trail:
3 June 03 PeopleSoft contacted
3 June 03 PeopleSoft confirms
24 June 03 PeopleSoft teleconference
19 July 03 PeopleSoft posts to Customer Connection
Contributers:
Barrett McGuire
Larry Wargo
Matt Fotter