lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAPMrQTS41VvL=tZu-d1=4CokAgURNx=jMSEW+o_27yUGdH0-KQ@mail.gmail.com>
Date: Thu, 13 Mar 2014 18:09:37 +0200
From: Julius Kivimäki <julius.kivimaki@...il.com>
To: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Google vulnerabilities with PoC

Did you even read that article? (Not that OWASP has any sort of credibility
anyways). From what I saw in your previous post you are both unable to
execute the files or even access them and thus unable to manipulate the
content-type the files are returned with, therefore there is no
vulnerability (According to the article you linked.).

BTW, you should look for more cool vulnerabilities in amazons EC2, I'm sure
you will find some "Unrestricted File Upload" holes.


2014-03-13 16:18 GMT+02:00 Nicholas Lemonias. <lem.nikolas@...glemail.com>:

> Here is your answer.
> https://www.owasp.org/index.php/Unrestricted_File_Upload
>
>
> On Thu, Mar 13, 2014 at 1:39 PM, Julius Kivimäki <
> julius.kivimaki@...il.com> wrote:
>
>> When did the ability to upload files of arbitrary types become a security
>> issue? If the file doesn't get executed, it's really not a problem.
>> (Besides from potentially breaking site layout standpoint.)
>>
>>
>> 2014-03-13 12:43 GMT+02:00 Nicholas Lemonias. <lem.nikolas@...glemail.com
>> >:
>>
>>> Google vulnerabilities uncovered...
>>>
>>>
>>>
>>> http://news.softpedia.com/news/Expert-Finds-File-Upload-Vulnerability-in-YouTube-Google-Denies-It-s-a-Security-Issue-431489.shtml
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ