Thanks for the heads up Greg.
Cheers,
Matt.
Matt Bielby
Senior Business Systems Analyst
IT Services
University of the Sunshine Coast
Australia
email:
mbielby@usc.edu.auPhone: +61 (07) 5456 5521
>>> Greg Sutton <
g.sutton@uq.edu.au> 10/11/2010 11:51 am >>>
I think just a reboot of the Weblogic instances.
Cheers
Greg
Greg Sutton
Enterprise Application Development Manager
The University of Queensland
CRICOS Provider Number 00025B
Tel: +61 7 33466832
Mob: +61 0411406065
Fax: +61 7 33657545
E-mail:
g.sutton@uq.edu.auUnless stated otherwise, this e-mail represents only the views of the
sender and not the views of The University of Queensland.
From:Robert Lacina [
mailto:robert.lacina@unisa.edu.au]Sent: Wednesday, 10 November 2010 11:46 AM
To:
anz.heug@list.heug.orgSubject: [anz.heug] - RE: PeopleSoft Cross-site Scripting
Vulnerability?
Oh crap! I presume a reboot of the web and/or app servers are required
after the configuration change?
Thanks for the help...
Rob.
Robert Lacina
University of South Australia
Information Strategy and Technology Services
Student Information Systems
Phone: (08) 8302 5251(external), 25251(internal)
CRICOS Provider Number: 00121B
"A computer once beat me at chess -
but it was no match for me at kickboxing"
From:Ross Ward [
mailto:ward.ross@usq.edu.au]Sent: Wednesday, 10 November 2010 9:55 AM
To:
anz.heug@list.heug.orgSubject: [anz.heug] - RE: PeopleSoft Cross-site Scripting
Vulnerability?
Hi Rob,
Try using this link, adapted for you environments.
https://*****.****.edu.au/psp/*****/EMPLOYEE/ERP/e/?url=http://www.google.comRegards
Ross
From:Robert Lacina [
mailto:robert.lacina@unisa.edu.au]Sent: Wednesday, 10 November 2010 8:37 AM
To:
anz.heug@list.heug.orgSubject: [anz.heug] - RE: PeopleSoft Cross-site Scripting
Vulnerability?
Hi Greg – are there possibly other settings that you may have open,
other than the “Allow Unregistered Content”?
I’ve checked our web profiles and we definitely have the “Allow
Unregistered Content” checked, but the test with google fails.
I tried both google.com + google.com.au, in both non-production and
production (http & https servers) using both IE & Firefox.
This is what I entered in the address bar:
https://****.unisa.edu.au:****/psp/****/EMPLOYEE/HRMS/c/?url=http://www.google.com.auAnd this is the response I got back (after signing in):
Invalid URL - no ContentID found in URL.
https://****.unisa.edu.au:****/psp/****/EMPLOYEE/HRMS/c/?url=http://www.google.com.auI’m thinking that maybe our PS servers have been set up to block access
to external sites, possibly because we need to go via our proxy server
and my guess is that this is probably not configured on the actual
servers.
Rob
Robert Lacina
University of South Australia
Information Strategy and Technology Services
Student Information Systems
Phone: (08) 8302 5251(external), 25251(internal)
CRICOS Provider Number: 00121B
"A computer once beat me at chess -
but it was no match for me at kickboxing"
From:Greg Sutton [
mailto:g.sutton@uq.edu.au]Sent: Friday, 5 November 2010 11:56 AM
To:
anz.heug@list.heug.orgSubject: [anz.heug] - PeopleSoft Cross-site Scripting Vulnerability?
Hi
Just a heads up on cross-site scripting security issue brought to our
attention recently - that increased the chances of success of a phishing
attack.
The default setting for the “Allow Unregistered Content” in the
Peoplesoft web profile configuration is true. This allows PeopleSoft to
wrap external content.
We had a phishing email sent to our users that asked them to click on a
link to confirm their username and password – the link was constructed
in the following manner to wrap a malicious external URL.
For example:
https://www.productionsystem.uq.edu.au/psp/ps/EMPLOYEE/ERP/e/?url=http://www.malicious.com/If the signon page uses a guest user, the command displays the
malicious URL immediately - if no guest user setup, the user signs in
and then is presented with the malicious URL.
The malicious URL can be used to re-prompt and store username and
password.
The advantage of this method over normal phishing attacks is that the
PeopleSoft production site is delivering the bad URL. If the user checks
the certificate of the site when looking at the malicious URL it will
appear to be the production site.
A useful way to test if this effects your site is try the following:
https://www.yoursite.edu.au/psp/ps/EMPLOYEE/ERP/e/?url=http://www.google.com(
https://www.yoursite.edu.au/psp/ps/EMPLOYEE/ERP/e/?url=http://www.google.com)
If after you have signed in you see the
www.google.com then this is
where the malicious URL could be displayed.
We have now set the “Allow Unregistered Content” in the Peoplesoft web
profile configuration is set to false.
Cheers
Greg
Greg Sutton
Enterprise Application Development Manager
The University of Queensland
CRICOS Provider Number 00025B
Tel: +61 7 33466832
Mob: +61 0411406065
Fax: +61 7 33657545
E-mail:
g.sutton@uq.edu.auUnless stated otherwise, this e-mail represents only the views of the
sender and not the views of The University of Queensland.
-----End Original Message-----
-----End Original Message-----
This email (including any attached files) is confidential and is for
the intended recipient(s) only. If you received this email by mistake,
please, as a courtesy, tell the sender, then delete this email.
The views and opinions are the originator's and do not necessarily
reflect those of the University of Southern Queensland. Although all
reasonable precautions were taken to ensure that this email contained no
viruses at the time it was sent we accept no liability for any losses
arising from its receipt.
The University of Southern Queensland is a registered provider of
education with the Australian Government (CRICOS Institution Code No's.
QLD 00244B / NSW 02225M)
-----End Original Message-----
-----End Original Message-----
Attachment Links: image001.png (51 k) (
http://www.heug.org/p/fo/do/download=1&fid=37965 ) image002.jpg
(8 k) (
http://www.heug.org/p/fo/do/download=1&fid=37966 )
Site Links: View post online (
http://www.heug.org/p/fo/st/post=175670&anc=p175670#p175670 )
View mailing list online (
http://www.heug.org/p/fo/si/topic=901 )
Send new post via email (
mailto:anz.heug@list.heug.org ) Unsubscribe
from this mailing list (
mailto:anz.heug+unsubscribe@list.heug.org?Subject=Unsubscribe )
Manage your subscription (
http://www.heug.org/p/us/to/ )
HEUG.Online supported in part by:
Higher Technology Solutions - Higher Education Perspective, Campus
Solutions Focus. Let us turn your
Project ON with our Cost Effective Implementation & Oracle Campus
Solutions Training. Learn More:
Use of this email content is governed by the terms of service at:
http://www.heug.org/index.php?module=sthtml&op=load&sid=s1_010_tosCRICOS Provider Number: 01595D
This communication is intended for the recipient only and should not be
forwarded, distributed or otherwise read by others without express
permission. The views expressed in this email are not necessarily those
of the University of the Sunshine Coast.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.