Press Ctrl / CMD + C to copy this to your clipboard.
This post will be reported to the moderators as potential spam to be looked at
On YouTube the following video is posted 6 days ago (using DotNetNuke as the example application)
Impressive... only 38000 requests to determine an encryption key?? That is not as "brute force" as I expected it to be like a thousand time more...
Well, I'm not sure if umbraco can be taken over just like they show in the video.Umbraco uses, as far as I know, the session instead of cookies.
Btw, this isn't really the correct forum for this topic... I guess the core\general forum would be more suitable: http://our.umbraco.org/forum/core/general
That is crazy!
It looks like they could do a lot damage with DotNetNuke (access to the command line). But how far could they go in Umbraco, as it does not have that capability?
Well, you can write a package for umbraco just like they did for DotNetNuke (cmd.zip), so umbraco is capable of doing this.The only difference is umbraco using session and ddn using cookies.
I think unpatched umbraco is just as vulnerable, unfortunately.
There's also debate as to the usefulness of the workaround released by MS and the notion that a random delay in error pages will have any effect other than increasing the amount of brute force the attacker needs to use.
is working on a reply...
Write your reply to:
Image will be uploaded when post is submitted