lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 14 Mar 2014 19:09:48 +0000
From: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
To: Krzysztof Kotowicz <kkotowicz+fd@...il.com>,
 full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Google vulnerabilities with PoC

You are wrong, because we do have proof of concepts. If we didn't have
them, then there would be no case.

But if there are video clips, images demonstrating impact - in which case
arbitrary file uploads (which is a write() call ) to a remote network, then
it is a vulnerability. It is not about the bounty, but rather about not
defying academic literature and widely recognised practise.

Attacking the arguer, won't make the bug to go away.

Best,

Nicholas.


On Fri, Mar 14, 2014 at 7:01 PM, Krzysztof Kotowicz
<kkotowicz+fd@...il.com>wrote:

> Nicholas, seriously, just stop.
>
> You have found an 'arbitrary file upload' in a file hosting service and
> claim it is a serious vulnerability. With no proof that your 'arbitrary
> file' is being used anywhere in any context that would lead to code
> execution - on server or client side. You cite OWASP documents (which are
> unrelated to the case), academia papers from 1975 just to find a reason
> it's theoretically serious, not paying any attention to what service you're
> actually attacking and what have you really achieved in that (which is
> demonstrating a filtering weakness at best, low risk).
>
> Everyone on this list so far explains why you're wrong, but you just won't
> stop. So you start throwing out certificates, your academia experience and
> your respected company. Then - name calling everyone else. Seriously, it's
> just a good laugh for most of us.
>
> Dude, please, just because you did not qualify for a bounty, there's no
> point in launching a whole campaign like you are. You're essentially
> following the path of Khalil Shreateh (the guy who posted on Zuckerberg FB
> wall) - he DID find a vuln though. Do you really want that? Go ahead, start
> a crowdsourcing campaign!
>
>
>
>
>
> 2014-03-14 19:40 GMT+01:00 Nicholas Lemonias. <lem.nikolas@...glemail.com>
> :
>
>> We have many PoC's including video clips. We may upload for the security
>> world to see.
>>
>> However, this is not the way to treat security vulnerabilities. Attacking
>> the researcher and bringing you friends to do aswell, won't mitigate the
>> problem.
>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ