# Vulnerability Title: Session hacking via authentication cookie on Oracle CRM on Demand # Date: 20/05/2011 # Vendor: Oracle # Product: Oracle CRM on Demand # Software Link: https://sso.crmondemand.com/ Summary: Oracle CRM on Demand is a web application to manage Customer information. Desc: On login process a cookie with parameter JIDSESSION is downloaded by the user browser. Once you get the cookie using a cookie theft or another cookie capture software or method and inject in a second browser you can directly access to the web application without give any user or password. Oracle said this is a problem of the user not related with them. The application only uses this cookie to validate the user session. Tested with: Greasemonkey cookie injector - Cookies manager+ (Both extensions on Firefox) Vulnerability discovered by: eljeffto
