Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 8 Apr 2014 16:44:00 -0400
From: Bobby Broughton <bobby@...ehosting.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: RE: OpenSSL 1.0.1 TLS/DTLS hearbeat information
 disclosure CVE-2014-0160

Once you gain a session id, you can hijack the person's session allowing for unauthorized access.

Here's a good article:

https://www.mattslifebytes.com/?p=533


Sent from my Verizon Wireless 4G LTE smartphone


-------- Original message --------
From: Donald Stufft
Date:04/08/2014 4:28 PM (GMT-05:00)
To: oss-security@...ts.openwall.com
Subject: Re: [oss-security] OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160


On Apr 8, 2014, at 3:37 PM, Yves-Alexis Perez <corsac@...ian.org> wrote:

>  (for example, I'm still unsure how easy
> it really is to find some valuable data in those 64kB of process heap
> memory).

Real easy, here’s a Python script which looks for cookies https://gist.github.com/mitsuhiko/10130454

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ