> How realistic is it that an attacker would be able to glean passwords through > this vulnerability?
Checked by myself yesterday in some websites with login/pass form in (sites from my company, don't blame me). I took less than 2 minutes to get 3 user/password combinations, so, easy as hell. PD: First message in FD, hi all!!! 2014-04-10 0:32 GMT+02:00 Craig Holmes <cr...@rideaunetworks.com>: > On April 8, 2014 10:21:34 AM Matthew Musingo wrote: > > Even if your systems were patched an attacker could have already > attained > > the secrets. > > > > Certs and other sensitive information need to be reconsidered for > > replacement or changed > How realistic is it that an attacker would be able to glean passwords > through > this vulnerability? Programatically searching through 64k memory dumps for > certificates seems plausible, but looking for passwords does not. A > password is > of no pre-determined length or format. So unless you know what strings are > wrapped around it (and those strings are reliably presented), isn't the > loss > of some types of sensitive information.... unlikely? > > Cheers. > Craig > > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
