Hello, I once did, as part of a blind test, some hammering on a Siebel Web Engine. At the time, I found some 'critial' situations wich i've reported to the vendor. To be honest, I don't know if this has been fixed or not, this was reported on April this year. I am pasting this information from the notes I have here, forgive me if this is not totally acurate: Faulty request: <quote> start.swe?SWEMethod=Drilldown&SWEApplet=<applet>&SWEView=<view>SWEApcn=1&SWE Field=l_FAQSWECmd=InvokeMethod&SWECount=12&SWERowIds=SWERowId0%3d1-MZ4<large string> </quote> From my 'side' (the client), the consequences were: 1. Response to the 'attack' request: "Internal Error. Encountered an unexpected exception." 2. Response from a normal request after that: "Unable to access SOM user to process this request. This server is too busy to process any more requests at the moment." 3. Response from another normal request after: "System session cannot be started. If the problem persists, ask your systems administrator to make sure that the application is started, and check the application configuration, including database and anonymous user settings." As this was part of a blind test, I have no clue on what really were the consequences on the server side. The only information I have been allowed to was, and quoting the sysadmin ( this is a translation, not necessary correct :-) ): " You may stop this now! You're making our production database spitting fire and smoke!" So, I would guess that it was a database related problem :-) Best regards, Joao Gouveia -------------- tharbadat_private ----- Original Message ----- From: "Kevin Wharram" <kevin.wharramat_private> To: <vuln-devat_private> Sent: Thursday, October 17, 2002 2:29 PM Subject: Application Vulnerability Analysis > > > All, > > I would like to do a vulnerability analysis on the Siebel (CRM) > application, does anyone have documentation or information that I can get > on how to do one. > > > Kevin >
This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 11:28:47 PDT