User:ATDT/Security

Early on in the bug bounty, one of my friends (Neal Poole, also testing CCBill at the time) pointed me in the direction of the 'Forgot Password' function and thought I might be able to find something there, specifically a padding oracle type attack. When I requested a password reset for my account, I'd receive a long link in my email, e.g. https://admin.ccbill.com/updatePassword2.cgi?enc=c8d2d3d66ac13a865d64276623d8260352616e646f6d49566e31e063163e5bd501fbca5d6f1c71998148a12edb637a2cf36492b646d8ad9ab8119c6214432afe27c3c3030c2e6b43a2a8e9452923ad18298f9255578d639c07afe41c1e82935d1cdba3709bec565e3eefb08ad27f33127ad3daeb51d88d16209c706de526fc1c63f9e760e39da6fecbc9b5734a8bb8a8348a07c2aac7645a799586a0f4cac7fa075862f4cac6dc17137ad3840d43ea1d7a04d324cff6aab1917b4ac3779a98f3fdb8476f25f350ae9bc4863fa1e11b4eacfba44b4dded55e6589568b57675890635da75c13e22234

Now, when I see a blob like that, my first step is to take it from hex back to an ASCII representation. In the header of that blob, I saw RandomIV. A quick Googling of that string told me that it was generated by Perl's Crypt::CBC. Outside of an irrelevant old vulnerability report about the usefulness of the IVs (http://cpansearch.perl.org/src/LDS/Crypt-CBC-2.30/Crypt-CBC-2.16-vulnerability.txt), it looked solid. CBC mode, HMACed properly (seemingly), etc. So tampering with the blob wasn't much use.