PeopleSoft <Control><J> Information Disclosure

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: PeopleSoft <Control><J> Information Disclosure
From: <info@xxxxxxxxxxxx>
Date: 7 Oct 2003 20:58:24 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Vendor:                 PeopleSoft
Solution ID:            200749177
Product:                People Tools
Version:                8.42, Others? 
Platform:               Solaris 8, BEA WebLogic, Others?
Remote/Local:           Remote, Authenticated
Title:                  Information Gathering
Impact:                 Disclosure of potentially sensitive information


Description:            
<Control><J> is a hot key that is used by everyone that helps in 
troubleshooting many issues within the PIA or Portal environment. Ever since 
PeopleTools 8.1x, <Control><J> allows us to see information like: Browser and 
its version, name of Operating System, PeopleTools version, Application type 
and its version, Service Pack number, current Menu name, and current Component 
name, current Page name, the UserID who is logging in, the name of the Database 
logged into, the Database platform, and the IP of the Application Server.

Although most of the information may seem to be harmless, some of the 
information is considered too sensitive and should not be shared with all of 
the user community. The following information should be hidden from the users: 
the UserID who is logging in, the name of the Database logged into, the 
Database platform, and the IP of the Application Server.


Vendor Solution:        
Control - J functionality is modified by changing the following line in 
configuration.properties:

# If set to true, the database name and other potentially sensitive connection 
information
# will appear in the HTML generated for use in a help display.
# Default: true
connectionInformation=true

Setting this value to false will hide security related information from CTLR-J 
and HTML object PT_INFOPAGE will be displayed:

Browser IE/6.0
Operating System WINNT
Browser Compression ON (gzip)
Tools Release 8.42.01
Application Release HRMS 8.80.00.000
Service Pack 0
Page NID_LOOKUP
Component NID_LOOKUP
Menu ADMINISTER_WORKFORCE_(GBL)

If connectionInformation=true, the following HTML object PT_INFOPAGECONNECT is 
displayed:

Browser IE/6.0
Operating System WINNT
Browser Compression ON (gzip)
Tools Release 8.42.01
Application Release HRMS 8.80.00.000
Service Pack 0
Page NID_LOOKUP
Component NID_LOOKUP
Menu ADMINISTER_WORKFORCE_(GBL)
User ID PS
Database Name HRMS
Database Type MICROSFT
Application Server //127.0.0.1:9000

Further, the actual HTML objects can be modified to restrict display of 
sensitive objects. Please note that this is a customization to a delivered 
PeopleTools object and will require special attention when applying PeopleTools 
patches and upgrades.


Vendor Trail:           
3 June 03       PeopleSoft contacted
3 June 03       PeopleSoft confirms
24 June 03      PeopleSoft teleconference
19 July 03      PeopleSoft posts to Customer Connection
                        

Contributers:
                
Barrett McGuire 
Larry Wargo
Matt Fotter

Prev by Date: Openoffice 1.1.0 DoS
Next by Date: Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability
Previous by thread: Openoffice 1.1.0 DoS
Next by thread: Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability
Index(es):
- Date
- Thread