Gerald626, I read your post on bugtraq and needed to respond to clear up some inaccuracies and misrepresentations. Ariba's "Spend management" software is a suite of web based applications that enable customers to more effectively manage their spend. I'm not quite sure what you mean by "... transmit the username and password of the user to the server via the URL in plain text". Ariba applications do not embed credentials in the body of the URL. User credentials are sent from the browser to the server via a form post (as does most other web based applications). If the applications are run on a web server that's configured to communicate via http, then all information passed between the browser and web server is in clear text (and is subsequently visible with packet capture using the proper hardware and software). This would be true of any and all applications vended by this server. If the web server is configured to use SSL (https), then all communication passed between the browser and server is fully encrypted (and not exposed by sniffing the line). This is a web server configuration issue, not an application issue. Ariba's "Configuration Guide" documentation is very clear that the customer should use https when configuring Ariba's applications for use in production mode. In fact most of Ariba's application software has safeguards in place to prevent the use of http in production unless the customer intentionally disables this feature. Craig Kennedy Senior Security Manager Ariba, Inc. -----Original Message----- From: gerald626@xxxxxxxxx Subject: Ariba password exposure vulnerability To: bugtraq@xxxxxxxxxxxxxxxxx Date: Wed, Aug 31 11:04:07 The Ariba Spend Mangement System, which is a web-based application, appears to transmit the username and password of the user to the server via the URL in plain text. Packet capture is available for analysis upon request. This may enable a malicious user to sniff the username/password for accounts in the 'approval' role (for example, the CFO/CTO/CEO), which would allow the user to purchase items they are not normally permitted to. Gerald.
