A system bug has been located within a SAP E-Recruiting system which is blocking people from registering their e-mail. The problem is that a registration URL provided to job-seekers is predictable, meaning an attacker could put other peoples’ e-mails into the system and guess the “e-mail confirmation” link. It could be blocked by adding a pre-registration nonce to the confirmation link, but that wasn’t done in release versions 605, 606, 616 or 617.
View Full Story
ORIGINAL SOURCE: The Register