It looks like they could do a lot damage with DotNetNuke (access to the command line). But how far could they go in Umbraco, as it does not have that capability?
Well, you can write a package for umbraco just like they did for DotNetNuke (cmd.zip), so umbraco is capable of doing this. The only difference is umbraco using session and ddn using cookies.
I think unpatched umbraco is just as vulnerable, unfortunately.
There's also debate as to the usefulness of the workaround released by MS and the notion that a random delay in error pages will have any effect other than increasing the amount of brute force the attacker needs to use.
Video of exploit using the ASP.NET vulnerability
On YouTube the following video is posted 6 days ago (using DotNetNuke as the example application)
http://www.youtube.com/watch?v=yghiC_U2RaM
Impressive... only 38000 requests to determine an encryption key?? That is not as "brute force" as I expected it to be like a thousand time more...
Nico
Well, I'm not sure if umbraco can be taken over just like they show in the video.
Umbraco uses, as far as I know, the session instead of cookies.
Btw, this isn't really the correct forum for this topic... I guess the core\general forum would be more suitable: http://our.umbraco.org/forum/core/general
That is crazy!
It looks like they could do a lot damage with DotNetNuke (access to the command line). But how far could they go in Umbraco, as it does not have that capability?
Well, you can write a package for umbraco just like they did for DotNetNuke (cmd.zip), so umbraco is capable of doing this.
The only difference is umbraco using session and ddn using cookies.
I think unpatched umbraco is just as vulnerable, unfortunately.
There's also debate as to the usefulness of the workaround released by MS and the notion that a random delay in error pages will have any effect other than increasing the amount of brute force the attacker needs to use.
is working on a reply...