[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Skype account + IM history hijack vulnerability

To: Full-Disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Skype account + IM history hijack vulnerability
From: "Nick FitzGerald" <nick@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 15 Nov 2012 16:45:29 +1300

Benji wrote:

> Oracle attacks?
> 
> See into the future?
> Padding oracle attacks?
> Oracle SQL injections?

You noobs...

   http://www.drdobbs.com/understanding-oracle-attacks-on-informat/184405917

(Don't get too tied up in the crypto stuff in that article.)

klondike's point is that simply monitoring the response of the "user X 
wants to change their password" web-form tells you whether there is, in 
fact, a user named "X" on the system.  That's kinda obvious from the 
bash script klondike provided, and I don't do bash...

Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Skype account + IM history hijack vulnerability
  - From: Benji
- Re: [Full-disclosure] Skype account + IM history hijack vulnerability
  - From: Benji

References:
- [Full-disclosure] Skype account + IM history hijack vulnerability
  - From: Kirils Solovjovs
- Re: [Full-disclosure] Skype account + IM history hijack vulnerability
  - From: klondike
- Re: [Full-disclosure] Skype account + IM history hijack vulnerability
  - From: Benji

Prev by Date: [Full-disclosure] [Security-news] SA-CONTRIB-2012-164 - Smiley module and Smileys module - Cross Site Scripting (XSS)
Next by Date: Re: [Full-disclosure] Skype account + IM history hijack vulnerability
Previous by thread: Re: [Full-disclosure] Skype account + IM history hijack vulnerability
Next by thread: Re: [Full-disclosure] Skype account + IM history hijack vulnerability
Index(es):
- Date
- Thread