Title: Business Objects WebIntelligence Application Session Hijacking Vulnerability
Severity: HIGH
Description:
WebIntelligence is an analysis tool for business intelligence. It is distributed by Business Objects, and available for the Unix and Microsoft Windows platforms.
A problem with the WebIntelligence application could make it possible for remote users to hijack sessions.
It has been reported that WebIntelligence uses an insecure model for ensuring session security. The application uses web-type security features that may be prone to hijacking. This could allow a remote user to gain unauthorized access to another user's session.
The problem is that the application uses cookies with guessable values to secure user sessions. It has also been suggested that a remote attacker may use other means to steal cookie-based authentication credentials from legitimate users. By gaining access to the application's session cookie, another user could gain complete access to the user's session, and perform all actions with the privileges of the victim. This vulnerability however does not permit the changing of user passwords.
Affected Products:
- Business Objects WebIntelligence 2.7.0
References:
- Business Objects: WebIntelligence Product Page
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
