|
|
 |
| New User, Welcome! Login |
Session hacking via authentication cookie on Oracle CRM on Demand
| From: |
jeffto eljeffto com |
| To: |
bugtraq securityfocus com |
| Cc: |
|
| Subject: |
Session hacking via authentication cookie on Oracle CRM on Demand |
| Date: |
Fri - May 20, 2011 02:48 PM |
# Vulnerability Title: Session hacking via authentication cookie on Oracle CRM on Demand
# Date: 20/05/2011
# Vendor: Oracle
# Product: Oracle CRM on Demand
# Software Link: https://sso.crmondemand.com/
Summary: Oracle CRM on Demand is a web application to
manage Customer information.
Desc: On login process a cookie with parameter JIDSESSION is downloaded by the user browser.
Once you get the cookie using a cookie theft or another cookie capture software or method
and inject in a second browser you can directly access to the web application without give
any user or password. Oracle said this is a problem of the user not related with them.
The application only uses this cookie to validate the user session.
Tested with: Greasemonkey cookie injector - Cookies manager+ (Both extensions on Firefox)
Vulnerability discovered by: eljeffto
|
|
|
Copyright © 1995-2012 LinuxRocket.net. All rights reserved.
Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!
