VULHUB ™

PeopleTools ships with an IClient servlet that is designed to handle core functionality procedures on the PeopleSoft Webserver. In addition to these core procedures the IClient servlet provides for functionality that allows a third party to upload files that are attached to a form post. The uploaded files are stored in the PeopleSoft Web root. The PeopleTools IClient servlet has been reported prone to a vulnerability that could allow a remote attacker to execute arbitrary code with the privileges of the web server process. The issue presents itself due to the weak methods used by the IClient servlet when it is generating random directory names. A remote attacker may guess the random folder name on the vulnerable server and in doing so may invoke the uploaded file and have arbitrary code executed with the privileges of the web server process.

PeopleTools ships with an IClient servlet that is designed to handle core functionality procedures on the PeopleSoft Webserver. In addition to these core procedures the IClient servlet provides for functionality that allows a third party to upload files that are attached to a form post. The uploaded files are stored in the PeopleSoft Web root. The PeopleTools IClient servlet has been reported prone to a vulnerability that could allow a remote attacker to execute arbitrary code with the privileges of the web server process. The issue presents itself due to the weak methods used by the IClient servlet when it is generating random directory names. A remote attacker may guess the random folder name on the vulnerable server and in doing so may invoke the uploaded file and have arbitrary code executed with the privileges of the web server process.