lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <50A46559.3965.4DA7F483@nick.virus-l.demon.co.uk> Date: Thu, 15 Nov 2012 16:45:29 +1300 From: "Nick FitzGerald" <nick@...us-l.demon.co.uk> To: Full-Disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: Skype account + IM history hijack vulnerability Benji wrote: > Oracle attacks? > > See into the future? > Padding oracle attacks? > Oracle SQL injections? You noobs... http://www.drdobbs.com/understanding-oracle-attacks-on-informat/184405917 (Don't get too tied up in the crypto stuff in that article.) klondike's point is that simply monitoring the response of the "user X wants to change their password" web-form tells you whether there is, in fact, a user named "X" on the system. That's kinda obvious from the bash script klondike provided, and I don't do bash... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists