Date: Sat, 15 Mar 2014 10:53:47 -0700
From: "T Imbrahim" <TImbrahim@...hemail.com>
To: "Michal Zalewski" <lcamtuf@...edump.cx>
Cc: full-disclosure@...ts.grok.org.uk, pr0ix@...oo.co.uk
Subject: Re: Fwd: Google vulnerabilities with PoC

Hello,

I am a security professional and risk manager in UAE. I support that the remote file upload on YouTube is a vulnerability, and I am sure about this. Not the slightest doubts... 

There is a different between a vulnerability and an exploit. The vulnerability here is the lack of any file extension checks, content type verification “$_FILES['uploadedfile']['type']” holds the value of the MIME type. A hacker can easily upload files using a script that allows the sending or tampering of HTTP POST requests.

e.g:

<?php
 //Demo1.php
 if($_FILES['uploadedfile']['type'] != "image/gif") {
 echo "Sorry, we only allow uploading GIF images";
 exit;
 }
 $uploaddir = 'uploads/';
 $uploadfile = $uploaddir . basename($_FILES['uploadedfile']['name']);
 if (move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $uploadfile)) {
 echo "File is valid, and was successfully uploaded.n";
 } else {
 echo "File uploading failed.n";
 }
 ?>
Read this for more info if you like: http://resources.infosecinstitute.com/file-upload-vulnerabilities/

if not (rwx) and only (w) to a temporary file even, the spread of malware is real no matter if the file is executed at the time is upload.

For the JSON reply:

A hacker exploits a JSON (javascript) object that has information of interest for example holding some values for cookies. A lot of times that exploits the same policy origin. The JSON object returned from a server can be forged over writing javascript function that create the object. This happens because of the same origin policy problem in browsers that cannot say if js execution it different for two different sites.


Sincerely ,
T. Imbrahim


--- lcamtuf@...edump.cx wrote:

From: Michal Zalewski <lcamtuf@...edump.cx>
To: M Kirschbaum <pr0ix@...oo.co.uk>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Date: Sat, 15 Mar 2014 09:46:27 -0700

> As a professional penetration tester, [...]
> The JSON service responds to GET requests , and there is a good chance that
> the service is also vulnerable to JSON Hijacking attacks.

That's... not how XSSI works.

To have a script inclusion vulnerability, you need to have a vanilla
GET response that contains some user-specific secrets that are
returned to the caller based on HTTP cookies (or, less likely, other
"ambient" credentials). For example, a script response that discloses
the contents of your mailbox or the list of private contacts would be
of concern.

Further, the response must be in a format that can be not only loaded,
but also inspected by another site opened in your browser; most types
of JSONP fall into this category, but JSON generally does not,
essentially because of how the meaning of "{" is overloaded in JS
depending on where it appears in a block of code.

Last but not least, the final piece of the puzzle is that the response
must be served at a URL that can be guessed by third parties who don't
have access to your account.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_____________________________________________________________
Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists