RE: Ariba password exposure vulnerability
Gerald626,
I read your post on bugtraq and needed to respond to clear up some
inaccuracies and misrepresentations.
Ariba's "Spend management" software is a suite of web based applications
that enable customers to more effectively manage their spend.
I'm not quite sure what you mean by "... transmit the username and
password of the user to the server via the URL in plain text". Ariba
applications do not embed credentials in the body of the URL. User
credentials are sent from the browser to the server via a form post (as
does most other web based applications).
If the applications are run on a web server that's configured to
communicate via http, then all information passed between the browser
and web server is in clear text (and is subsequently visible with packet
capture using the proper hardware and software). This would be true of
any and all applications vended by this server.
If the web server is configured to use SSL (https), then all
communication passed between the browser and server is fully encrypted
(and not exposed by sniffing the line). This is a web server
configuration issue, not an application issue.
Ariba's "Configuration Guide" documentation is very clear that the
customer should use https when configuring Ariba's applications for use
in production mode. In fact most of Ariba's application software has
safeguards in place to prevent the use of http in production unless the
customer intentionally disables this feature.
Craig Kennedy
Senior Security Manager
Ariba, Inc.
-----Original Message-----
From: gerald626@xxxxxxxxx
Subject: Ariba password exposure vulnerability
To: bugtraq@xxxxxxxxxxxxxxxxx
Date: Wed, Aug 31 11:04:07
The Ariba Spend Mangement System, which is a web-based application,
appears to
transmit the username and password of the user to the server via the URL
in plain
text. Packet capture is available for analysis upon request.
This may enable a malicious user to sniff the username/password for
accounts in the
'approval' role (for example, the CFO/CTO/CEO), which would allow the
user to
purchase items they are not normally permitted to.
Gerald.