Just wanted to make you aware that there is a Cross-Site-Scripting vulnerability on the PeopleSoft Sign-In page. From my testing, this vulnerability exists in PeopleTools 8.43, 8.44 and 8.48 and 8.49. It probably exists in others going back to version 8.0, but I don't have environments to test it in.
To exploit the issue, an attacker would insert Javascript code into the SignOnDefault cookie, and somehow place the altered cookie onto a victim's workstation. To me that seems pretty unlikely but I guess it'd be possible. My client considers it a high risk because the firm that audited their security considers it a high risk.
I opened a case with Oracle and they were able to recreate it. A fix is due for PeopleTools releases 8.48 and 8.49 sometime in July.
If you're not running PeopleTools 8.48 or 8.49, or if you don't want to wait for a fix, here's the workaround:
Modify signin.html on your web server. Find the tag that begins <input id="userid" . Look for the value="<%=USERID%>" attribute. Change it to value="" .
The problem with this workaround is that the User ID won't default when a user comes to the sign in page. But it certainly removes the Cross-Site-Scripting vulnerability.
If you'd like to read more about Cross-Site Scripting, you can do so here and here.
TrackBack URI for this entry
Subscribe to this comment's feed
| < Prev | Next > |
|---|
Last Updated on Thursday, 12 June 2008 08:52.
Thanks for the information. We are currently on 8.49.27 Tools version and have the XSS issue. As you have mentioned 'A fix is due for PeopleTools releases 8.48 and 8.49 sometime in July', I was wondering if you know the patch/fix ID# so that I can refer to it in Oracle support. Any help is greatly appreciated. Thanks!