lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 14 Mar 2014 20:04:20 +0000
From: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
To: Chris Thompson <christhom7851@...il.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Google vulnerabilities with PoC

http://upload.youtube.com/?authuser=0&upload_id=
AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--
uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=
CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw

That information can be queried from the db, where the metadata are saved.
The files are being saved persistently , as per the above example.


On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. <
lem.nikolas@...glemail.com> wrote:

>
> http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
>
> That information can be queried from the db, where the metadata are saved.
> The files are being saved persistently , as per the above example.
>
>
> On Fri, Mar 14, 2014 at 8:00 PM, Chris Thompson <christhom7851@...il.com>wrote:
>
>> Hi Nikolas,
>>
>> Please do read (and understand) my entire email before responding - I
>> understand your frustration trying to get your message across but maybe
>> this will help.
>>
>> Please put aside professional pride for the time being - I know how it
>> feels to be passionate about something yet have others simply not
>> understand.
>>
>> Let me try and bring some sanity to the discussion and explain to you why
>> people maybe not agreeing with you.
>>
>> You (rightly so) highlighted what you believe to be an issue in a Youtube
>> whereby it appears (to you) than you can upload an arbitrary file. If you
>> can indeed do this as you suspect then your points are valid and you "may"
>> be able to cause various issues associated with it such as DOS etc -
>> especially if the uploaded files cannot or are not tracked.
>>
>> However...
>>
>> Consider than you are talking to an API and what you are getting back
>> (the JSON response) in your example is simply a response from the API to
>> say the file you uploaded has been received and saved.
>>
>> Now, as you no doubt know, when you upload a regular movie to YouTube,
>> once uploaded it goes away and does some post-processing, converting it to
>> flash for example. What's to say that there isn't some verification aspect
>> to this post-processing that checks if the file is intact a valid movie and
>> if not removes it.
>>
>> If you could for example demonstrate that the file was indeed persistent,
>> by being able to retrieve it for example then again, you would have solid
>> ground to claim an issue however your claims at this point are based on an
>> assumption.... Let me explain.
>>
>> 1. You have demonstrated than you can send "any" file to an API and the
>> API returned an acknowledgment of receiving (and saving) the file.
>>
>> 2. You / we don't know what Google do with files once they have been
>> received from the API - maybe they process them and validate them - we
>> simply don't know.
>>
>> 3. You have hypothesized that you can retrieve the file by manipulating
>> tokens etc and you may be right, but you have not demonstrated it as such.
>>
>> Because of this, you seem to have made a CLAIM that you can upload
>> arbitrary files to Google however SHOWN that you can simply send files to
>> an API and an API responds in a certain way.
>>
>> I am NOT saying you haven't found an issue, what I am saying is that you
>> need to demonstrate that the issue is real and thus can be abused. If the
>> Google service simply verifies all uploaded files once they are uploaded
>> and discards them if invalid, then you haven't really found anything.
>>
>> If you were to prove that you were able to retrieve this uploaded file
>> then how could anyone dispute your bug.
>>
>> Hope this helps....
>>
>> Cheers!
>>
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ