Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Nico Lubbers 151 posts 174 karma points
    Sep 22, 2010 @ 15:29
    Nico Lubbers
    1

    Video of exploit using the ASP.NET vulnerability

    On YouTube the following video is posted 6 days ago (using DotNetNuke as the example application)

    http://www.youtube.com/watch?v=yghiC_U2RaM

    Impressive... only 38000 requests to determine an encryption key?? That is not as "brute force" as I expected it to be like a thousand time more...

    Nico

  • Stefan Kip 1578 posts 4013 karma points c-trib
    Sep 22, 2010 @ 16:19
    Stefan Kip
    0

    Well, I'm not sure if umbraco can be taken over just like they show in the video.
    Umbraco uses, as far as I know, the session instead of cookies.

    Btw, this isn't really the correct forum for this topic... I guess the core\general forum would be more suitable: http://our.umbraco.org/forum/core/general

  • Sean Mooney 131 posts 158 karma points c-trib
    Sep 22, 2010 @ 16:27
    Sean Mooney
    0

    That is crazy!

    It looks like they could do a lot damage with DotNetNuke (access to the command line). But how far could they go in Umbraco, as it does not have that capability?

  • Stefan Kip 1578 posts 4013 karma points c-trib
    Sep 22, 2010 @ 16:29
    Stefan Kip
    0

    Well, you can write a package for umbraco just like they did for DotNetNuke (cmd.zip), so umbraco is capable of doing this.
    The only difference is umbraco using session and ddn using cookies.

  • dandrayne 1138 posts 2262 karma points
    Sep 22, 2010 @ 16:40
    dandrayne
    0

    I think unpatched umbraco is just as vulnerable, unfortunately.  

    There's also debate as to the usefulness of the workaround released by MS and the notion that a random delay in error pages will have any effect other than increasing the amount of brute force the attacker needs to use.

Please Sign in or register to post replies

Write your reply to:

Draft