Clik here to view.
PeopleSoft Security Part 1: Overview of architecture
Tweet Oracle PeopleSoft applications are quite complex and consist of many components, so their security is not a simple thing. While there is almost no research on PS security, successful attacks...
View ArticleClik here to view.
PeopleSoft Security Part 2: “Decrypting” AccessID
Tweet Now that we have covered PeopleSoft Architecture, it is time to continue with PeopleSoft security and describe some attack vectors against PeopleSoft system discovered by ERPScan researchers....
View ArticleClik here to view.
PeopleSoft Security Part 3: PeopleSoft SSO & TokenChpoken Attack
Tweet In the third part of the PeopleSoft Security series, we will describe how to log in under any account and gain full access to the PeopleSoft system. What is PeopleSoft SSO and how does it work?...
View ArticlePeopleSoft Security part 4: PeopleSoft pentest using TokenChpoken Tool
Tweet In the previous blog post about PeopleSoft Security we looked at the TockenChpoken attack and PeopleSoft SSO. Today we will go through all steps of exploitation of the attack which can help you...
View ArticleUniversities are at risk of data breaches: is it possible to protect them?
Tweet Last Wednesday Harvard University announced that on June 19 an intrusion on Faculty of Arts and Sciences and Central Administration information technology networks was discovered. According to...
View Article[ERPSCAN-14-022] Oracle Weblogic Application Server – Authorization bypass
Tweet Application: Oracle Weblogic Application Server Versions Affected: WebLogic Server 10.3.6.0/10.3.1.0, maybe others Vendor URL: http://www.oracle.com Bugs: Authorization bypass Exploits: YES...
View Article[ERPSCAN-14-023] Oracle PeopleSoft PeopleTools – insecure AccessID encryption
Tweet Application:Oracle PeopleSoft PeopleTools Versions Affected: Oracle PeopleSoft PeopleTools 8.53 / 8.50 Vendor URL: http://www.oracle.com Bugs: Insecure encryption Exploits: YES Reported:...
View ArticleClik here to view.
Oracle Critical Patch Update October 2015 – Analyzing Oracle Security
Tweet Today Oracle has released its quarterly critical patch update for October 2015. It fixes a total of 154 vulnerabilities. The previous CPU for July 2015 closed 193 security vulnerabilities which...
View ArticleClik here to view.
Oracle Security Analysis – Oracle Critical Patch Update January 2016
Tweet Today Oracle has released its quarterly patch update for January 2016. It fixes a total of 248 vulnerabilities. It’s a record number of security issues patched by Oracle in one update ever, and...
View ArticleClik here to view.
CVSS 3.0 – How does it Affect Oracle Critical Patch Update?
Tweet Today Oracle has released its quarterly patch update for April 2016. It fixes a total of 136 vulnerabilities. Comparing with the previous record-breaking CPU for January 2016 that closed 248...
View ArticleClik here to view.
Analyzing Oracle Security – Oracle Critical Patch Update October 2016
Tweet Today Oracle has released its quarterly patch update for October 2016. It fixes a total of 253 vulnerabilities. The main highlights are as follows: 1. This is the second-largest Update...
View Article[ERPSCAN-17-040] Anonymous Directory Traversal Vulnerability (Double Encode)...
Application: Oracle PeopleSoft Versions Affected: PeopleTools 8.54, 8.55 Vendor: Oracle Bugs: Directory Traversal and Authentication Bypass Reported: 16.03.2017 Vendor response: 17.03.2017 Date of...
View Article[ERPSCAN-17-041] Unauthorized Container Shutdown In ServerMigrationCoordinator
Application: Oracle PeopleSoft Versions Affected: PeopleSoft FSCM 9.2 Vendor: Oracle Bug: Missing Authentication for Critical Function Reported: 16.03.2017 Vendor response: 17.03.2017 Date of Public...
View Article[ERPSCAN-17-042] Anonymous log injection in FSCM
Application: Oracle PeopleSoft Versions Affected: PeopleSoft FSCM 9.2 Vendor: Oracle Bug: Anonymous log injection Reported: 16.03.2017 Vendor response: 17.03.2017 Date of Public Advisory: 18.07.2017...
View ArticleEAS-SEC. Oracle PeopleSoft Security Configuration. Part 6: Insecure settings
A typical PeopleSoft system is quite large and complex, so there are a lot of settings, which affect its security. Some of them we have already described. This part of the guideline is focused on...
View ArticleClik here to view.
EAS-SEC. Oracle PeopleSoft Security Configuration. Part 7: Unencrypted...
The PeopleSoft Internet Architecture (PIA) is a multi-component system with a lot of cross-component interactions and numerous types of interactions between users and external systems. Therefore,...
View ArticleClik here to view.
PeopleSoft Passwords Decryption
We continue to familiarize you with PeopleSoft security aspects and share the latest research directly from our lab, hot and tasty. The topic of today’s research is … Passwords! Right, it’s a...
View ArticleClik here to view.
Analyzing Oracle Security – Oracle Critical Patch Update October 2017
Today Oracle has released its quarterly patch update for October 2017. It fixes a total of 252 vulnerabilities. The main highlights are as follows: Oracle closed 1119 issues in 2017 in total and the...
View ArticleEAS-SEC. Oracle PeopleSoft Security Configuration. Part 8: Access control and...
PeopleSoft has multiple functional opportunities, which are implemented through programs, transactions, and reports. An access to these objects should be strictly regulated by defining user profiles,...
View ArticlePeopleSoft JOLTandBLEED Vulnerability
As a matter of urgency, Oracle has released 5 patches addressing severe vulnerabilities identified by the ERPScan team. The most critical of them have the highest CVSS base score of 9.9 and even 10.0...
View Article