lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1DB514108C342247B1F760312304D1E205F24824@us-hqmail2.ariba.com>
Date: Wed, 31 Aug 2005 19:41:35 -0700
From: "Craig Kennedy" <CKennedy@...ba.com>
To: <bugtraq@...urityfocus.com>
Cc: <gerald626@...il.com>
Subject: RE: Ariba password exposure vulnerability


Gerald626,

I read your post on bugtraq and needed to respond to clear up some
inaccuracies and misrepresentations.

Ariba's "Spend management" software is a suite of web based applications
that enable customers to more effectively manage their spend.

I'm not quite sure what you mean by "... transmit the username and
password of the user to the server via the URL in plain text".  Ariba
applications do not embed credentials in the body of the URL.   User
credentials are sent from the browser to the server via a form post (as
does most other web based applications).  

If the applications are run on a web server that's configured to
communicate via http, then all information passed between the browser
and web server is in clear text (and is subsequently visible with packet
capture using the proper hardware and software).  This would be true of
any and all applications vended by this server.

If the web server is configured to use SSL (https), then all
communication passed between the browser and server is fully encrypted
(and not exposed by sniffing the line).  This is a web server
configuration issue, not an application issue.

Ariba's "Configuration Guide" documentation is very clear that the
customer should use https when configuring Ariba's applications for use
in production mode.  In fact most of Ariba's application software has
safeguards in place to prevent the use of http in production unless the
customer intentionally disables this feature.
 

Craig Kennedy
Senior Security Manager
Ariba, Inc.

-----Original Message-----
From: gerald626@...il.com
Subject: Ariba password exposure vulnerability
To: bugtraq@...urityfocus.com
Date: Wed, Aug 31 11:04:07 

The Ariba Spend Mangement System, which is a web-based application,
appears to
transmit the username and password of the user to the server via the URL
in plain
text.  Packet capture is available for analysis upon request.

This may enable a malicious user to sniff the username/password for
accounts in the
'approval' role (for example, the CFO/CTO/CEO), which would allow the
user to
purchase items they are not normally permitted to.

Gerald.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ