• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

PeopleSoft XML External Entity Remote File Disclosure Vulnerability

A vulnerability has been discovered in the PeopleSoft Application Messaging Gateway. The problem occurs in the Gateway Administration servlet and can be exploited to obtain the contents of an arbitrary file.

This issue occurs due to invalid sanitization of user-supplied XML data in certain POST requests to the Gateway Administration servlet. By including an XML external entity, it may be possible for an attacker to make the server disclose a files contents within the servers response.

Information obtained through the exploitation of this vulnerability may aid an attacker in launching further attacks against a target server. It has been reported that under certain circumstances it may be possible to open arbitrary TCP connections through the affected servlet.