Full Disclosure: Re: Skype account + IM history hijack vulnerability

["Nick FitzGerald" <nick () virus-l demon co uk>]

Benji wrote:

> Oracle attacks?
>
> See into the future?
> Padding oracle attacks?
> Oracle SQL injections?
You noobs...

   http://www.drdobbs.com/understanding-oracle-attacks-on-informat/184405917

(Don't get too tied up in the crypto stuff in that article.)

klondike's point is that simply monitoring the response of the "user X 
wants to change their password" web-form tells you whether there is, in 
fact, a user named "X" on the system.  That's kinda obvious from the 
bash script klondike provided, and I don't do bash...



Regards,

Nick FitzGerald


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/