BugTraq
Re: XSS in Oracle default fcgi-bin/echo Oct 13 2010 08:18PM
paul szabo sydney edu au (1 replies)
RE: [Full-disclosure] XSS in Oracle default fcgi-bin/echo Oct 13 2010 08:42PM
Thor (Hammer of God) (thor hammerofgod com) (1 replies)
RE: [Full-disclosure] XSS in Oracle default fcgi-bin/echo Oct 13 2010 08:49PM
paul szabo sydney edu au (1 replies)
RE: [Full-disclosure] XSS in Oracle default fcgi-bin/echo Oct 13 2010 09:14PM
Thor (Hammer of God) (thor hammerofgod com) (1 replies)
>You make wrong assumptions, and jump to conclusions:
> - Not anyone, but bona-fide ones only.
> - I do not "own" an Oracle site to test.
>Were not those obvious to right-thinking people?

You misunderstand. Irrespective of the method you choose to validate "bona-fide" recipients of your PoC, you will have no control over what the recipient chooses to do with it once they have it. As such, logic dictates that your PoC be considered "public" the moment you release it. If there was any "obvious" point missed, it was that fact.

My original position stands: either disclose the code publically - in other words - don't fool yourself into thinking you are somehow being responsible by "validating" recipients prior, or simply send the code to Oracle and ask them if works or not. It's unfortunate that you consider simple logic as assumptive or a presupposition but I respect your right to do so.

t

[ reply ]
RE: [Full-disclosure] XSS in Oracle default fcgi-bin/echo Oct 13 2010 09:35PM
paul szabo sydney edu au (1 replies)
Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo Oct 17 2010 06:23AM
Riyaz Walikar (riyazwalikar gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus