PeopleSoft IScript XSS

2003-11-12T00:00:00
ID OSVDB:3130
Type osvdb
Reporter OSVDB
Modified 2003-11-12T00:00:00

Description

Vulnerability Description

PeopleSoft PeopleTools contains a flaw that allows a remote Cross Site Scripting attack. This flaw exists because the application does not validate input upon submission to the IScript script. By using a carefully constructed URL, mobile code such as JAVA, can be executed within the users context. This style of attack can be used to gain access to sensitive information, such as session cookies etc.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, PeopleSoft has released a patch to address this vulnerability.

Short Description

PeopleSoft PeopleTools contains a flaw that allows a remote Cross Site Scripting attack. This flaw exists because the application does not validate input upon submission to the IScript script. By using a carefully constructed URL, mobile code such as JAVA, can be executed within the users context. This style of attack can be used to gain access to sensitive information, such as session cookies etc.

References:

Secunia Advisory ID:10225 CVE-2003-0629 Bugtraq ID: 9036