Comment by Gygash
12 years ago
Found a Python PoC: http://s3.jspenguin.org/ssltest.py
Edit: and just used it to dump 64K from a known-vulnerable device we control. Got a session cookie. Jeez.
12 years ago
Found a Python PoC: http://s3.jspenguin.org/ssltest.py
Edit: and just used it to dump 64K from a known-vulnerable device we control. Got a session cookie. Jeez.
JESUS CHRIST, all sorts of private information. Patch your servers now!
After reading your comment, I started looking back at the packets I got using the script on a site I knew was not patched. Damn.. there are plaintext passwords in there for paypal.
This shit is scary.
There is going to be massive amounts of fraud all over the world for a while because of this bug.
Looks like that file was pulled. Here's a mirror on Pastebin:
http://pastebin.com/YsdUXL1F
Works pretty well on openssl.org...