Crystal Reports Weak Sessions

  • Published: 28 Nov 2006

Crystal Reports Weak Sessions

CVE-2006-4099

Share

Type

  • Crystal Reports: Weak Sessions Advisory

Severity

  • High

Affected products

  • Crystal Reports

Date

  • 2006-11-28

CVE Reference

  • CVE-2006-4099

Read more

Crystal Reports makes use of a cookie value called WCSID as a session identifier. This session identifier is not sufficiently random, not does it contain enough entropy. In addition, the session identifier is not tied to a user’s IP address. This combination allows an attacker to hijack any currently authenticated users’ sessions from any location.