Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Skype account + IM history hijack vulnerability

From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Thu, 15 Nov 2012 16:45:29 +1300
Benji wrote:


Oracle attacks?

See into the future?
Padding oracle attacks?
Oracle SQL injections?


You noobs...

   http://www.drdobbs.com/understanding-oracle-attacks-on-informat/184405917

(Don't get too tied up in the crypto stuff in that article.)

klondike's point is that simply monitoring the response of the "user X 
wants to change their password" web-form tells you whether there is, in 
fact, a user named "X" on the system.  That's kinda obvious from the 
bash script klondike provided, and I don't do bash...



Regards,

Nick FitzGerald


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: