Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Skype account + IM history hijack vulnerability
From: Benji <me () b3nji com>
Date: Thu, 15 Nov 2012 08:47:00 +0000

Hi genius of the year

Sometimes when people argue over the definition of '0day', it is important to be clear. Although the bash script made 
it clear, I have never ever seen someone call 'user enumeration' an 'oracle attack'. Probably because this is 2012 and 
the Matrix hasn't just come out.

Sorry for not knowing non-industry terms used by 1% of the populous you hipster.

Sent from my iPhone

On 15 Nov 2012, at 03:45, "Nick FitzGerald" <nick () virus-l demon co uk> wrote:

Benji wrote:

Oracle attacks?

See into the future?
Padding oracle attacks?
Oracle SQL injections?

You noobs...

  http://www.drdobbs.com/understanding-oracle-attacks-on-informat/184405917

(Don't get too tied up in the crypto stuff in that article.)

klondike's point is that simply monitoring the response of the "user X 
wants to change their password" web-form tells you whether there is, in 
fact, a user named "X" on the system.  That's kinda obvious from the 
bash script klondike provided, and I don't do bash...



Regards,

Nick FitzGerald


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]