PeopleSoft PeopleTools psdoccgi.exe远程目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1202335 漏洞类型 输入验证
发布时间 2003-11-13 更新时间 2009-07-12
CVE编号 CVE-2003-0626 CNNVD-ID CNNVD-200311-030
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/9037
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200311-030
|漏洞详情
PeopleSoft企业软件集成多个商务功能,包括人事、客户关系、供求关系、财务等管理。PeopleSoftPeopleTools包含的搜索CGI脚本对用户提交参数缺少充分过滤,远程攻击者可以利用这个漏洞进行目录遍历攻击。psdoccgi.exe搜索CGI应用程序用于搜索PeopleBooks在线文档,应用程序接收外部输入两个参数,headername和footername,允许用户选择页头和页脚本内容返回给请求者,由于对此参数数据缺少充分过滤,攻击者提交恶意参数可绕过WEBROOT限制,以WEB权限在系统上查看任意文件内容。
|受影响的产品
PeopleSoft PeopleTools 8.43 PeopleSoft PeopleTools 8.42 PeopleSoft PeopleTools 8.41 PeopleSoft PeopleTools 8.40 PeopleSoft PeopleTools 8.20 PeopleSoft PeopleTools 8.19
|参考资料

来源:SECUNIA
名称:10225
链接:http://www.secunia.com/advisories/10225/
来源:XF
名称:peoplesoft-searchcgi-directory-traversal(13754)
链接:http://xforce.iss.net/xforce/xfdb/13754
来源:BID
名称:9037
链接:http://www.securityfocus.com/bid/9037
来源:AUSCERT
名称:ESB-2003.0786
链接:http://www.auscert.org.au/render.html?it=3610
来源:FULLDISC
名称:20031103CorsaireSecurityAdvisory:PeopleSoftPeopleBooksSearchCGImultipleargumentissues
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2003-November/013652.html
来源:VULNWATCH
名称:20031113CorsaireSecurityAdvisory:PeopleSoftPeopleBooksSearchCGImultipleargumentissues
链接:http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0042.html