Advisories (2006)

Please read our Vulnerability Disclosure Policy.

Crystal Reports Weak Sessions

Nov 28, 2006

Crystal Reports makes use of a cookie value called WCSID as a session identifier. This session identifier is not sufficiently random, not does it contain enough entropy. In addition, the session identifier is not tied to a user’s IP address. This combination allows an attacker to hijack any currently authenticated users’ sessions from any location.

Latest
2012
2011
2010
2009
2008
2007
2006

MWR Labs

Advisories (2006)

Crystal Reports Weak Sessions