2014-03-14 20:28 GMT+01:00 Nicholas Lemonias. <lem.nikolas () googlemail com
:
Then that also means that firewalls and IPS systems are worthless. Why
spend so much time protecting the network layers if a user can send any
file of choice to a remote network through http...
No, they are not worthless per se, but of course for an user content
publishing service they need to allow file upload over HTTP/s. How far
those files are inspected and later processed is another question - and
that could lead to a vulnerability that you DIDN'T demonstrate.
You just uploaded a .sh file. There's no harm in that as nowhere did you
prove that that file is being executed. Similarly (and that has been
pointed out in this thread) you could upload a PHP-GIF polyglot file to a
J2EE application - no vulnerability in this. Prove something by overwriting
a crucial file, tricking other user's browser to execute the file as HTML
from an interesting domain (XSS), popping a shell, triggering XXE when the
file is processed as XML, anything. Then that is a vulnerability. So far -
sorry, it is not, and you've been told it repeatedly.
As for the uploaded files being persistent, there is evidence of that.
For instance a remote admin could be tricked to execute some of
the uploaded files (Social Engineering).
Come on, seriously? Social Engineering can make him download this file
from pastebin just as well. That's a real stretch.
IMHO it is not a security issue. You're uploading a file to some kind of
processing queue that does not validate a file type, but nevertheless only
processes those files as video - there is NO reason to suspect otherwise,
and I'd like to be proven wrong here. Proven as in PoC.
