Re: XSS in Oracle default fcgi-bin/echo

["Thor (Hammer of God)" <thor () hammerofgod com>]

Dropping bugtraq as this thread no longer has any security value.

> Does logic dictate that all people are rabid pro-disclosure zealots, who do not
> respect copyright, IP rights, nor gentle personal requests for discretion?

I'm sorry that you are having such difficulty grasping the concept of logic.  It might help for you to avoid being 
distracted by your propensity to attach emotional characteristics to statements where they do not apply.  Not only have 
I said nothing to support the conclusion that I have some position about full disclosure or its alternatives, but it 
really wouldn't matter if I did.  Regardless of immature attempts to malign my statements, the fact is that no matter 
how much you may want recipients to respect any terms of use you may apply to the disclosure of your PoC, you simply 
cannot enforce it.   They will be made public, and there is nothing you can do about it.  So either release it, or not. 
 I don't think I can present that is any less complex manner. 

I do however find it curious that you react with charges of "rabid pro-disclosure zealots" when you were the one that 
posted to Full Disclosure in the first place.  

> > ... don't fool yourself into thinking you are somehow being
> > responsible ...
>
> I do not own an over-inflated ego.

That is fortunate, as based on your responses thus far, it would be difficult for you to justify. 

> > ... or simply send the code to Oracle and ask them ...
>
> Sorry to blow your assumption: sent to Oracle, ages ago, first thing.

If that is the case, then your intentions of contributing to this thread are confusing.  If you supplied code, and a 
patch was issued based on your code, then why question whether the patch fixes the vulnerability?  You've even stated 
that they "double-checked" and it was fixed, but then go on to say that it would be difficult to verify.  You've stated 
that you don't own an Oracle installation, yet you've provided PoC.  They have stated it is fixed, yet you are stating 
that you think it should be verified anyway.  The final statement that a suggestion in response to your post on Full 
Disclosure be that you supply code to test a vulnerability that the vendor already fixed somehow illustrates a "rabid 
pro-disclosure zealot who does not respeact copyright, IP rights, nor gentle personal requests for discretion" simply 
indicates that you do not understand the process, and that your reaction to your own misunderstanding is to engage in 
childish rebuttals rather than provide someth
 ing of value. 

As amusing as this has been, you are clearly unable to bring any substance to your original post, so I shall leave you 
to your own devices.  I hope your studies in mathematics contribute to your capacity to discern logic.  Have a nice day.

t

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/