Researchers release point-and-click website exploitation tool -- http://www.theregister.co.uk/2010/06/08/padding_oracle_attack_tool/ Watch POET vs Apache MyFaces -- http://www.youtube.com/watch?v=euujmKDxmC4 Research: Padding Oracle Exploit Tool -- http://netifera.com/research/
Released Monday, Poet exploits a well-known vulnerability in the way many websites encrypt text stored in cookies, hidden HTML fields and request parameters. The text is designed to help servers keep track of purchases, user preferences and other settings while at the same time ensuring account credentials and other sensitive data can't be intercepted. By modifying the encrypted information and sending it back to the server, the attackers can recover the plaintext for small chunks of the data, allowing them to access passwords and restricted parts of a webserver. The fatal flaw making exploitation possible is the failure of JavaServer Faces to implement AES/DES encryption algorithms correctly. The scheme provides no way to sign the ciphertext or authenticate the block cipher mode.
