[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAPMrQTS41VvL=tZu-d1=4CokAgURNx=jMSEW+o_27yUGdH0-KQ@mail.gmail.com>
Date: Thu, 13 Mar 2014 18:09:37 +0200
From: Julius Kivimäki <julius.kivimaki@...il.com>
To: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Google vulnerabilities with PoC
Did you even read that article? (Not that OWASP has any sort of credibility
anyways). From what I saw in your previous post you are both unable to
execute the files or even access them and thus unable to manipulate the
content-type the files are returned with, therefore there is no
vulnerability (According to the article you linked.).
BTW, you should look for more cool vulnerabilities in amazons EC2, I'm sure
you will find some "Unrestricted File Upload" holes.
2014-03-13 16:18 GMT+02:00 Nicholas Lemonias. <lem.nikolas@...glemail.com>:
> Here is your answer.
> https://www.owasp.org/index.php/Unrestricted_File_Upload
>
>
> On Thu, Mar 13, 2014 at 1:39 PM, Julius Kivimäki <
> julius.kivimaki@...il.com> wrote:
>
>> When did the ability to upload files of arbitrary types become a security
>> issue? If the file doesn't get executed, it's really not a problem.
>> (Besides from potentially breaking site layout standpoint.)
>>
>>
>> 2014-03-13 12:43 GMT+02:00 Nicholas Lemonias. <lem.nikolas@...glemail.com
>> >:
>>
>>> Google vulnerabilities uncovered...
>>>
>>>
>>>
>>> http://news.softpedia.com/news/Expert-Finds-File-Upload-Vulnerability-in-YouTube-Google-Denies-It-s-a-Security-Issue-431489.shtml
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists