EMM: MAINT_LOOP_ID Accepts Single Quotes (Doc ID 2143660.1)

Last updated on MARCH 09, 2017

Applies to:

PeopleSoft Enterprise FIN Maintenance Management - Version 9.1 and later
Information in this document applies to any platform.

Symptoms

MAINT_LOOP_ID accepts single quotes this causes the loop schedule page to fail with a sql error but more importantly it allows for sql injection


Expected Behavior
-------------------------
It is expected that an edit on MAINT_LOOP_ID will not allow the field to be saved with single codes embedded in the value.

Steps
----------------
This issue can be replicated by performing the following steps:

1) Create a Maintenance Loop with a Loop ID that includes single quotes, at least one, and save.
2) Create a Loop Schedule with the Loop ID that includes single quotes.
3) Submit the Run Preventive Maintenance process for the Loop Schedule.

Business Impact
---------------------
This bug represents an unacceptable security risk that would allow a malicious user to delete tables. We need to have this resolved before we are required to disclose this to our auditors.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms