RE: [Full-disclosure] XSS in Oracle default fcgi-bin/echo
>Hmm... maybe difficult to verify, since I did not post a PoC test.
>Maybe a kind Oracle admin could point me to a patched fcgi-bin/echo?
>Funny if any such existed: an admin careful to keep patches up-to-date, bu=
t
>careless in not following security recommendations to remove...
>Maybe, contact me off-list so I can provide PoC?
If you are going to give PoC code to anyone who asks for it, why not just p=
ost it? It will be made public anyway. Or you could apply the patch your=
self and test on your own and communicate any vulnerabilities that my persi=
st to Oracle first.
t
討論串 (同標題文章)
完整討論串 (本文為第 1 之 6 篇):