Full Disclosure mailing list archives
Re: XSS in Oracle default fcgi-bin/echo
From: Riyaz Walikar <riyazwalikar () gmail com>
Date: Sun, 17 Oct 2010 11:50:24 +0530
Hi Paul, The mere mention of fcgi-bin/echo in your first mail is enough for anybody to derive the PoC. Here's what I found in under a minute: */fcgi-bin/echo/<script>aler('xss')</script>* Anybody with a days work in Web Application security would be able to figure this out knowing the vulnerable script. Just my two cents. Regards, Riyaz Walikar On Thu, Oct 14, 2010 at 3:05 AM, <paul.szabo () sydney edu au> wrote:
Dear Thor, Amazing how people claim being logical ... sure sign they aren't!... Irrespective of the method you choose to validate "bona-fide" recipients of your PoC, you will have no control over what the recipient chooses to do with it once they have it. As such, logic dictates that your PoC be considered "public" the moment you release it. ...Does logic dictate that all people are rabid pro-disclosure zealots, who do not respect copyright, IP rights, nor gentle personal requests for discretion?... don't fool yourself into thinking you are somehow being responsible ...I do not own an over-inflated ego.... or simply send the code to Oracle and ask them ...Sorry to blow your assumption: sent to Oracle, ages ago, first thing. Cheers, Paul Paul Szabo psz () maths usyd edu au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 07)
- Re: XSS in Oracle default fcgi-bin/echo Nahuel Grisolia (Oct 08)
- Re: XSS in Oracle default fcgi-bin/echo psy (Oct 09)
- Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 10)
- Re: XSS in Oracle default fcgi-bin/echo psy (Oct 09)
- <Possible follow-ups>
- Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 13)
- Re: XSS in Oracle default fcgi-bin/echo Thor (Hammer of God) (Oct 13)
- Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 13)
- Re: XSS in Oracle default fcgi-bin/echo Thor (Hammer of God) (Oct 13)
- Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 13)
- Re: XSS in Oracle default fcgi-bin/echo Thor (Hammer of God) (Oct 13)
- Re: XSS in Oracle default fcgi-bin/echo Riyaz Walikar (Oct 17)
- Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 18)
- Re: XSS in Oracle default fcgi-bin/echo Thor (Hammer of God) (Oct 13)
- Re: XSS in Oracle default fcgi-bin/echo Nahuel Grisolia (Oct 08)