PeopleSofts PeopleTools Contains Serious Flaw | eWeek

PeopleSofts PeopleTools Contains Serious Flaw

Verfasst von
Dennis Fisher
Dennis Fisher
Mar 10, 2003
1 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

Security researchers have discovered a serious vulnerability in PeopleSoft Inc.s PeopleTools application framework that can lead to a complete compromise of the installations embedded Web server. This could in turn give the attacker confidential information about the server and its contents and help him compromise other PeoplSoft applications.

The flaw is in the Java servlet that moves reports to and from the PeopleSoft repository. By default, this servlet runs on the PeopleSoft Web server and does not require authentication for use.

The servlet, known as the SchedulerTransfer, contains code that handles uploading files sent by HTTP “post” requests. The software attempts to guard against directory-traversal attacks through a series of checks that remove certain path-separating characters from file names. But the checks are incomplete, making it possible for an attacker to create or overwrite files outside the specified directory to which files should be uploaded, according to an advisory released Monday by Internet Security Systems Inc.

The attacker could then overwrite existing Java servlets in order to execute his code on the vulnerable machine.

The vulnerability affects versions 8.10-8.18, 8.40 and 8.41 of PeopleTools, ISS said.

Most Recent Security Stories:

Search for more stories by Dennis Fisher.
Find white papers on security.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.