re: Ariba Spend Management System
gerald626_at_gmail.com
Date: 09/01/05
- Previous message: Eric Romang / ZATAZ.com: "silc server and toolkit insecure temporary file creation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 1 Sep 2005 12:12:41 -0000 To: bugtraq@securityfocus.com('binary' encoding is not supported, stored as-is) I would like to clarify some things.
First, I would like to apologize for any mis-representaiton due to a lack of proper explanation on my part.
My previous post was essentially true, that the username/password is being transmitted in clear text. However, it is not in the URL as I previously claimed; after a closer look, it is in a post request. Either way, the fact remains that it is still in the clear.
I tested this with the Ariba Buyer application. The Ariba Spend Management System is a collection of applications. However, my understanding is that most, if not all, of the applicaitons in the suite utilize the same authentication method. Maybe somebody from Ariba can clarify this particular issue.
For those of you who requested a sample of my packet capture, I will be sending it shortly.
Gerald.
- Previous message: Eric Romang / ZATAZ.com: "silc server and toolkit insecure temporary file creation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
