On Teamsite, GET commands are used instead of POST commands to request information. This leads to the disclosure of user information on the URL line, including the session ID and an encrypted version of the password which could be cracked. This information is saved in the web browser history file, in the web browser cache, and by the web server’s logs.
Some tasks do not require a valid session ID cookie or even a valid session ID parameter on the URL.
https://<TS Server IP>/iw-bin/iwjobadmin.cgi does not even require any sessionid cookie or session parameter.
http://<TS Server IP>/iw-bin/iwcgi.cgi and
http://<TS Server IP>/iw-bin/iwwftodo.cgi both require a session parameter which must be a valid session id but could be any session id previously used by any user.
This allows users who have not logged in access to the job lists and job details.
Obviously quite big issues ..... any reccmedation to avert these ?
