lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 13 Oct 2010 22:26:15 +0000
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: "paul.szabo@...ney.edu.au" <paul.szabo@...ney.edu.au>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: XSS in Oracle default fcgi-bin/echo

Dropping bugtraq as this thread no longer has any security value.

>Does logic dictate that all people are rabid pro-disclosure zealots, who do not
>respect copyright, IP rights, nor gentle personal requests for discretion?

I'm sorry that you are having such difficulty grasping the concept of logic.  It might help for you to avoid being distracted by your propensity to attach emotional characteristics to statements where they do not apply.  Not only have I said nothing to support the conclusion that I have some position about full disclosure or its alternatives, but it really wouldn't matter if I did.  Regardless of immature attempts to malign my statements, the fact is that no matter how much you may want recipients to respect any terms of use you may apply to the disclosure of your PoC, you simply cannot enforce it.   They will be made public, and there is nothing you can do about it.  So either release it, or not.  I don't think I can present that is any less complex manner. 

I do however find it curious that you react with charges of "rabid pro-disclosure zealots" when you were the one that posted to Full Disclosure in the first place.  

>> ... don't fool yourself into thinking you are somehow being
>> responsible ...
>
>I do not own an over-inflated ego.

That is fortunate, as based on your responses thus far, it would be difficult for you to justify. 

>> ... or simply send the code to Oracle and ask them ...
>
>Sorry to blow your assumption: sent to Oracle, ages ago, first thing.

If that is the case, then your intentions of contributing to this thread are confusing.  If you supplied code, and a patch was issued based on your code, then why question whether the patch fixes the vulnerability?  You've even stated that they "double-checked" and it was fixed, but then go on to say that it would be difficult to verify.  You've stated that you don't own an Oracle installation, yet you've provided PoC.  They have stated it is fixed, yet you are stating that you think it should be verified anyway.  The final statement that a suggestion in response to your post on Full Disclosure be that you supply code to test a vulnerability that the vendor already fixed somehow illustrates a "rabid pro-disclosure zealot who does not respeact copyright, IP rights, nor gentle personal requests for discretion" simply indicates that you do not understand the process, and that your reaction to your own misunderstanding is to engage in childish rebuttals rather than provide someth
 ing of value. 

As amusing as this has been, you are clearly unable to bring any substance to your original post, so I shall leave you to your own devices.  I hope your studies in mathematics contribute to your capacity to discern logic.  Have a nice day.

t

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ