Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Skype account + IM history hijack vulnerability
From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Thu, 15 Nov 2012 16:45:29 +1300

Benji wrote:

Oracle attacks?

See into the future?
Padding oracle attacks?
Oracle SQL injections?

You noobs...

   http://www.drdobbs.com/understanding-oracle-attacks-on-informat/184405917

(Don't get too tied up in the crypto stuff in that article.)

klondike's point is that simply monitoring the response of the "user X 
wants to change their password" web-form tells you whether there is, in 
fact, a user named "X" on the system.  That's kinda obvious from the 
bash script klondike provided, and I don't do bash...



Regards,

Nick FitzGerald


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]