Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Fwd: Google vulnerabilities with PoC
From: Krzysztof Kotowicz <kkotowicz+fd () gmail com>
Date: Fri, 14 Mar 2014 21:40:22 +0100

2014-03-14 20:28 GMT+01:00 Nicholas Lemonias. <lem.nikolas () googlemail com>:

Then that also means that firewalls and IPS systems are worthless. Why
spend so much time protecting the network layers if a user can send any
file of choice to a remote network through http...

No, they are not worthless per se, but of course for an user content
publishing service they need to allow file upload over HTTP/s. How far
those files are inspected and later processed is another question - and
that could lead to a vulnerability that you DIDN'T demonstrate.

You just uploaded a .sh file. There's no harm in that as nowhere did you
prove that that file is being executed. Similarly (and that has been
pointed out in this thread) you could upload a PHP-GIF polyglot file to a
J2EE application - no vulnerability in this. Prove something by overwriting
a crucial file, tricking other user's browser to execute the file as HTML
from an interesting domain (XSS), popping a shell, triggering XXE when the
file is processed as XML, anything. Then that is a vulnerability. So far -
sorry, it is not, and you've been told it repeatedly.

As for the uploaded files being persistent, there is evidence of that.  For
instance a remote admin could be tricked to execute some of the uploaded
files (Social Engineering).

Come on, seriously? Social Engineering can make him download this file from
pastebin just as well. That's a real stretch.

IMHO it is not a security issue. You're uploading a file to some kind of
processing queue that does not validate a file type, but nevertheless only
processes those files as video - there is NO reason to suspect otherwise,
and I'd like to be proven wrong here. Proven as in PoC.
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]