Crystal Reports Weak Sessions

Crystal Reports makes use of a cookie value called WCSID as a session identifier. This session identifier is not sufficiently random, not does it contain enough entropy. In addition, the session identifier is not tied to a user’s IP address. This combination allows an attacker to hijack any currently authenticated users’ sessions from any location.

Latest
2012
2011
2010
2009
2008
2007
2006

MWR Labs

Crystal Reports Weak Sessions