mailing list archives
Re: XSS in Oracle default fcgi-bin/echo
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Wed, 13 Oct 2010 22:26:15 +0000
Dropping bugtraq as this thread no longer has any security value.
Does logic dictate that all people are rabid pro-disclosure zealots, who do not
respect copyright, IP rights, nor gentle personal requests for discretion?
I'm sorry that you are having such difficulty grasping the concept of logic. It might help for you to avoid being
distracted by your propensity to attach emotional characteristics to statements where they do not apply. Not only have
I said nothing to support the conclusion that I have some position about full disclosure or its alternatives, but it
really wouldn't matter if I did. Regardless of immature attempts to malign my statements, the fact is that no matter
cannot enforce it. They will be made public, and there is nothing you can do about it. So either release it, or not.
I don't think I can present that is any less complex manner.
I do however find it curious that you react with charges of "rabid pro-disclosure zealots" when you were the one that
posted to Full Disclosure in the first place.
... don't fool yourself into thinking you are somehow being
I do not own an over-inflated ego.
That is fortunate, as based on your responses thus far, it would be difficult for you to justify.
... or simply send the code to Oracle and ask them ...
Sorry to blow your assumption: sent to Oracle, ages ago, first thing.
If that is the case, then your intentions of contributing to this thread are confusing. If you supplied code, and a
patch was issued based on your code, then why question whether the patch fixes the vulnerability? You've even stated
that they "double-checked" and it was fixed, but then go on to say that it would be difficult to verify. You've stated
that you don't own an Oracle installation, yet you've provided PoC. They have stated it is fixed, yet you are stating
that you think it should be verified anyway. The final statement that a suggestion in response to your post on Full
Disclosure be that you supply code to test a vulnerability that the vendor already fixed somehow illustrates a "rabid
pro-disclosure zealot who does not respeact copyright, IP rights, nor gentle personal requests for discretion" simply
indicates that you do not understand the process, and that your reaction to your own misunderstanding is to engage in
childish rebuttals rather than provide someth
ing of value.
As amusing as this has been, you are clearly unable to bring any substance to your original post, so I shall leave you
to your own devices. I hope your studies in mathematics contribute to your capacity to discern logic. Have a nice day.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Re: XSS in Oracle default fcgi-bin/echo sumit kumar soni (Oct 14)