Of all the shitty enterprise software vendors, there is no platform I hate more than ServiceNow.<p>What an abomination of something seemingly so simple made into something so horrendously complex and bloated.<p>I was trying to explain to some new ServiceNow AE why we wouldn't be buying more product from them. Literally everyone who uses the product hates it - developers, admins, end users.<p>It behaves like it is constantly broken.<p>People talk shit about it all day, every day.<p>Maybe one day, some time a long time ago they had a good product, and that's how it got embedded all over the place, but now, what a pile of junk!
Summary from what I read:<p>Any user can query pretty much any table in the DB using their "GQL" wrapper around SQL. Someone thought enough to restrict the "user_password" field, so instead you query another table which gives you the user's session ID. Normally a token is user session ID + signature. But it turns out the signature wasn't really being validated, so user session ID + anything worked.<p>I'm normally not one to jump on mistakes, but that's remarkably bad.
Ah, ServiceNow. We had to hold a formal code review on the steaming pile of turd they delivered because it was so incredibly bad even testing it would have been a security risk. That's the quality you get from them.
And yet, it's leagues better than HP Service Manager or, heaven forbid, that ticket system someone created in Lotus Notes...<p>Ticket systems are always a giant pain.
InSecurityNow? Fuck'm with prejudice. Keep digging.<p>RCE as admin has been a problem for over a decade.
_Globally_ sessions do not expire...
This is just the tip of the shit architecture iceberg.