PeopleSoft, PeopleTools远程执行任意命令漏洞
(国家计算机网络入侵防范中心)

中心编号：NIPC-2003-0925

CVE编号：CAN-2003-0950

漏洞级别：高

发布日期：2003-12-25

更新日期：2003-12-15

漏洞类型：设计错误

攻击类型：远程

攻击效果：安全保护

受影响系统：

PeopleSoft, PeopleTools, 8.4PeopleSoft, PeopleTools, 8.10PeopleSoft, PeopleTools, 8.11PeopleSoft, PeopleTools, 8.12PeopleSoft, PeopleTools, 8.13PeopleSoft, PeopleTools, 8.14PeopleSoft, PeopleTools, 8.15PeopleSoft, PeopleTools, 8.16PeopleSoft, PeopleTools, 8.17PeopleSoft, PeopleTools, 8.18PeopleSoft, PeopleTools, 8.19PeopleSoft, PeopleTools, 8.20PeopleSoft, PeopleTools, 8.40PeopleSoft, PeopleTools, 8.41PeopleSoft, PeopleTools, 8.42PeopleSoft, PeopleTools, 8.43

漏洞描述：

PeopleSoft, PeopleTools, 8.1x, 8.2x, 以及 8.4x存在漏洞，通过向IClient Servlet上传一个文件，猜出存储这个文件的路径名，并访问这个文件，这样远程攻击者就可以在系统中执行任意指令。

参考资源二：

Source: ISS X-ForceType: GeneralName: peoplesoft-iclientservlet-file-upload(12805)http://xforce.iss.net/xforce/xfdb/12805

参考资源三：

Source: Security FocusType: GeneralName: bid 9041http://www.securityfocus.com/bid/9041