[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo
- To: "paul.szabo@xxxxxxxxxxxxx" <paul.szabo@xxxxxxxxxxxxx>, "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- Date: Wed, 13 Oct 2010 22:26:15 +0000
Dropping bugtraq as this thread no longer has any security value.
>Does logic dictate that all people are rabid pro-disclosure zealots, who do not
>respect copyright, IP rights, nor gentle personal requests for discretion?
I'm sorry that you are having such difficulty grasping the concept of logic.
It might help for you to avoid being distracted by your propensity to attach
emotional characteristics to statements where they do not apply. Not only have
I said nothing to support the conclusion that I have some position about full
disclosure or its alternatives, but it really wouldn't matter if I did.
Regardless of immature attempts to malign my statements, the fact is that no
matter how much you may want recipients to respect any terms of use you may
apply to the disclosure of your PoC, you simply cannot enforce it. They will
be made public, and there is nothing you can do about it. So either release
it, or not. I don't think I can present that is any less complex manner.
I do however find it curious that you react with charges of "rabid
pro-disclosure zealots" when you were the one that posted to Full Disclosure in
the first place.
>> ... don't fool yourself into thinking you are somehow being
>> responsible ...
>
>I do not own an over-inflated ego.
That is fortunate, as based on your responses thus far, it would be difficult
for you to justify.
>> ... or simply send the code to Oracle and ask them ...
>
>Sorry to blow your assumption: sent to Oracle, ages ago, first thing.
If that is the case, then your intentions of contributing to this thread are
confusing. If you supplied code, and a patch was issued based on your code,
then why question whether the patch fixes the vulnerability? You've even
stated that they "double-checked" and it was fixed, but then go on to say that
it would be difficult to verify. You've stated that you don't own an Oracle
installation, yet you've provided PoC. They have stated it is fixed, yet you
are stating that you think it should be verified anyway. The final statement
that a suggestion in response to your post on Full Disclosure be that you
supply code to test a vulnerability that the vendor already fixed somehow
illustrates a "rabid pro-disclosure zealot who does not respeact copyright, IP
rights, nor gentle personal requests for discretion" simply indicates that you
do not understand the process, and that your reaction to your own
misunderstanding is to engage in childish rebuttals rather than provide someth
ing of value.
As amusing as this has been, you are clearly unable to bring any substance to
your original post, so I shall leave you to your own devices. I hope your
studies in mathematics contribute to your capacity to discern logic. Have a
nice day.
t
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/