RE: [Full-disclosure] XSS in Oracle default fcgi-bin/echo
>You make wrong assumptions, and jump to conclusions:
> - Not anyone, but bona-fide ones only.
> - I do not "own" an Oracle site to test.
>Were not those obvious to right-thinking people?
You misunderstand. Irrespective of the method you choose to validate "bona=
-fide" recipients of your PoC, you will have no control over what the recip=
ient chooses to do with it once they have it. As such, logic dictates that=
your PoC be considered "public" the moment you release it. If there was =
any "obvious" point missed, it was that fact.=20
My original position stands: either disclose the code publically - in othe=
r words - don't fool yourself into thinking you are somehow being responsib=
le by "validating" recipients prior, or simply send the code to Oracle and =
ask them if works or not. It's unfortunate that you consider simple logic =
as assumptive or a presupposition but I respect your right to do so.
t
討論串 (同標題文章)
完整討論串 (本文為第 4 之 6 篇):