Software vulnerabilities in one component of PeopleSoft's PeopleTools application framework could be used to launch attacks against a wide range of PeopleSoft installations and give attackers remote access to sensitive or confidential information.
The vulnerabilities exist in code for a small program called "SchedulerTransfer" that resides on the PeopleSoft Web server, according to an alert published by Internet Security Systems Inc.'s (ISS) X-Force organization.
The small program, or "servlet," is used to move PeopleSoft reports to and from a report repository on the Web server, ISS said.
Using the SchedulerTransfer servlet, report files can be transmitted using HTTP (Hypertext Transfer Protocol) or HTTPS (HTTP over Secure Socket Layer) protocols. The servlet is configured to run by default on the PeopleSoft Web server and no user authentication is necessary to access the servlet or upload report files, according to ISS.
The SchedulerTransfer code does an insufficient job of defending against what are known as "directory traversal" attacks, which allow an intruder to bypass a server's directory access lists restrictions and roam about a remote server's directory structure, ISS said.
An attacker could use a directory traversal attack to create or overwrite files on the PeopleSoft Web server outside of the directory that was specified to receive uploaded reports.
For example, attackers could replace legitimate servlets with their own versions of those files or place other programs on the Web server that would allow them to remotely execute commands and gain control of the server, ISS said.
The flaw could be used in other ways to execute commands remotely, as well, ISS said.
PeopleTools is an integrated development environment and runtime architecture that allows organizations to develop, deploy and maintain customized applications for the PeopleSoft environment.
PeopleTools and the SchedulerTransfer servlet are included with many PeopleSoft installations including the company's customer relationship management (CRM), financial management (FMS) and supply chain management (SCM) solutions, ISS said.
Compromising those systems could lead to the disclosure of confidential information or be used to compromise PeopleSoft application and database servers, ISS warned.
PeopleSoft fixed the vulnerabilities reported by ISS in PeopleTools versions 8.19 and 8.42, according to ISS.
Patches are also available in PeopleTools 8.18.06 and 8.41.05, ISS said.
For those customers who are unable to upgrade to a fixed or patched version of PeopleTools, ISS recommends disabling the SchedulerTransfer servlet.