Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Skype account + IM history hijack vulnerability

From: Benji <me () b3nji com>
Date: Thu, 15 Nov 2012 08:47:00 +0000
Hi genius of the year

Sometimes when people argue over the definition of '0day', it is important to be clear. Although the bash script made 
it clear, I have never ever seen someone call 'user enumeration' an 'oracle attack'. Probably because this is 2012 and 
the Matrix hasn't just come out.

Sorry for not knowing non-industry terms used by 1% of the populous you hipster.

Sent from my iPhone

On 15 Nov 2012, at 03:45, "Nick FitzGerald" <nick () virus-l demon co uk> wrote:


Benji wrote:


Oracle attacks?

See into the future?
Padding oracle attacks?
Oracle SQL injections?


You noobs...

  http://www.drdobbs.com/understanding-oracle-attacks-on-informat/184405917

(Don't get too tied up in the crypto stuff in that article.)

klondike's point is that simply monitoring the response of the "user X 
wants to change their password" web-form tells you whether there is, in 
fact, a user named "X" on the system.  That's kinda obvious from the 
bash script klondike provided, and I don't do bash...



Regards,

Nick FitzGerald


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: