[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050831180407.20708.qmail@securityfocus.com>
Date: 31 Aug 2005 18:04:07 -0000
From: gerald626@...il.com
To: bugtraq@...urityfocus.com
Subject: Ariba password exposure vulnerability
The Ariba Spend Mangement System, which is a web-based application, appears to transmit the username and password of the user to the server via the URL in plain text. Packet capture is available for analysis upon request.
This may enable a malicious user to sniff the username/password for accounts in the 'approval' role (for example, the CFO/CTO/CEO), which would allow the user to purchase items they are not normally permitted to.
Gerald.
Powered by blists - more mailing lists