[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Ariba password exposure vulnerability
From:       gerald626 () gmail ! com
Date:       2005-08-31 18:04:07
Message-ID: 20050831180407.20708.qmail () securityfocus ! com
[Download RAW message or body]

The Ariba Spend Mangement System, which is a web-based application, appears to \
transmit the username and password of the user to the server via the URL in plain \
text.  Packet capture is available for analysis upon request.

This may enable a malicious user to sniff the username/password for accounts in the \
'approval' role (for example, the CFO/CTO/CEO), which would allow the user to \
purchase items they are not normally permitted to.

Gerald.


[prev in list] [next in list] [prev in thread] [next in thread]