lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CALHzGp4-tjHByqZxJ+mR4=ysuWPg4fu7bYNo8h3f-29e51DcfQ@mail.gmail.com>
Date: Fri, 14 Mar 2014 16:00:02 -0400
From: Chris Thompson <christhom7851@...il.com>
To: lem.nikolas@...glemail.com, full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Google vulnerabilities with PoC

Hi Nikolas,

Please do read (and understand) my entire email before responding - I
understand your frustration trying to get your message across but maybe
this will help.

Please put aside professional pride for the time being - I know how it
feels to be passionate about something yet have others simply not
understand.

Let me try and bring some sanity to the discussion and explain to you why
people maybe not agreeing with you.

You (rightly so) highlighted what you believe to be an issue in a Youtube
whereby it appears (to you) than you can upload an arbitrary file. If you
can indeed do this as you suspect then your points are valid and you "may"
be able to cause various issues associated with it such as DOS etc -
especially if the uploaded files cannot or are not tracked.

However...

Consider than you are talking to an API and what you are getting back (the
JSON response) in your example is simply a response from the API to say the
file you uploaded has been received and saved.

Now, as you no doubt know, when you upload a regular movie to YouTube, once
uploaded it goes away and does some post-processing, converting it to flash
for example. What's to say that there isn't some verification aspect to
this post-processing that checks if the file is intact a valid movie and if
not removes it.

If you could for example demonstrate that the file was indeed persistent,
by being able to retrieve it for example then again, you would have solid
ground to claim an issue however your claims at this point are based on an
assumption.... Let me explain.

1. You have demonstrated than you can send "any" file to an API and the API
returned an acknowledgment of receiving (and saving) the file.

2. You / we don't know what Google do with files once they have been
received from the API - maybe they process them and validate them - we
simply don't know.

3. You have hypothesized that you can retrieve the file by manipulating
tokens etc and you may be right, but you have not demonstrated it as such.

Because of this, you seem to have made a CLAIM that you can upload
arbitrary files to Google however SHOWN that you can simply send files to
an API and an API responds in a certain way.

I am NOT saying you haven't found an issue, what I am saying is that you
need to demonstrate that the issue is real and thus can be abused. If the
Google service simply verifies all uploaded files once they are uploaded
and discards them if invalid, then you haven't really found anything.

If you were to prove that you were able to retrieve this uploaded file then
how could anyone dispute your bug.

Hope this helps....

Cheers!

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ