Summary from what I read:
Any user can query pretty much any table in the DB using their "GQL" wrapper around SQL. Someone thought enough to restrict the "user_password" field, so instead you query another table which gives you the user's session ID. Normally a token is user session ID + signature. But it turns out the signature wasn't really being validated, so user session ID + anything worked.
I'm normally not one to jump on mistakes, but that's remarkably bad.
Almost exactly a year from report to disclosure. I'm sure it varies a lot, but is that a normal timeline for something this severe?
Ah, ServiceNow. We had to hold a formal code review on the steaming pile of turd they delivered because it was so incredibly bad even testing it would have been a security risk. That's the quality you get from them.
And yet, it's leagues better than HP Service Manager or, heaven forbid, that ticket system someone created in Lotus Notes...
Ticket systems are always a giant pain.
InSecurityNow? Fuck'm with prejudice. Keep digging.
RCE as admin has been a problem for over a decade. _Globally_ sessions do not expire... This is just the tip of the shit architecture iceberg.
My vote goes to snow it’s much better than servicecenter and remedy. I’m a user only not admin or dev.
Does anyone else get a security warning about a background download when visiting this page?
Of all the shitty enterprise software vendors, there is no platform I hate more than ServiceNow.
What an abomination of something seemingly so simple made into something so horrendously complex and bloated.
I was trying to explain to some new ServiceNow AE why we wouldn't be buying more product from them. Literally everyone who uses the product hates it - developers, admins, end users.
It behaves like it is constantly broken.
People talk shit about it all day, every day.
Maybe one day, some time a long time ago they had a good product, and that's how it got embedded all over the place, but now, what a pile of junk!