Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26402
HistoryMay 25, 2011 - 12:00 a.m.

Session hacking via authentication cookie on Oracle CRM on Demand

2011-05-2500:00:00
vulners.com
11
JSON

Vulnerability Title: Session hacking via authentication cookie on Oracle CRM on Demand

Date: 20/05/2011

Vendor: Oracle

Product: Oracle CRM on Demand

Software Link: https://sso.crmondemand.com/

Summary: Oracle CRM on Demand is a web application to
manage Customer information.

Desc: On login process a cookie with parameter JIDSESSION is downloaded by the user browser.
Once you get the cookie using a cookie theft or another cookie capture software or method
and inject in a second browser you can directly access to the web application without give
any user or password. Oracle said this is a problem of the user not related with them.
The application only uses this cookie to validate the user session.

Tested with: Greasemonkey cookie injector - Cookies manager+ (Both extensions on Firefox)

Vulnerability discovered by: eljeffto

JSON