Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Fwd: Google vulnerabilities with PoC
From: Krzysztof Kotowicz <kkotowicz+fd () gmail com>
Date: Fri, 14 Mar 2014 20:01:29 +0100

Nicholas, seriously, just stop.

You have found an 'arbitrary file upload' in a file hosting service and
claim it is a serious vulnerability. With no proof that your 'arbitrary
file' is being used anywhere in any context that would lead to code
execution - on server or client side. You cite OWASP documents (which are
unrelated to the case), academia papers from 1975 just to find a reason
it's theoretically serious, not paying any attention to what service you're
actually attacking and what have you really achieved in that (which is
demonstrating a filtering weakness at best, low risk).

Everyone on this list so far explains why you're wrong, but you just won't
stop. So you start throwing out certificates, your academia experience and
your respected company. Then - name calling everyone else. Seriously, it's
just a good laugh for most of us.

Dude, please, just because you did not qualify for a bounty, there's no
point in launching a whole campaign like you are. You're essentially
following the path of Khalil Shreateh (the guy who posted on Zuckerberg FB
wall) - he DID find a vuln though. Do you really want that? Go ahead, start
a crowdsourcing campaign!





2014-03-14 19:40 GMT+01:00 Nicholas Lemonias. <lem.nikolas () googlemail com>:

We have many PoC's including video clips. We may upload for the security
world to see.

However, this is not the way to treat security vulnerabilities. Attacking
the researcher and bringing you friends to do aswell, won't mitigate the
problem.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]