Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Fwd: Google vulnerabilities with PoC
From: "T Imbrahim" <TImbrahim () techemail com>
Date: Sat, 15 Mar 2014 10:53:47 -0700

Hello,

I am a security professional and risk manager in UAE. I support that the remote file upload on YouTube is a 
vulnerability, and I am sure about this. Not the slightest doubts... 

There is a different between a vulnerability and an exploit. The vulnerability here is the lack of any file extension 
checks, content type verification “$_FILES['uploadedfile']['type']” holds the value of the MIME type. A hacker can 
easily upload files using a script that allows the sending or tampering of HTTP POST requests.

e.g:

<?php
 //Demo1.php
 if($_FILES['uploadedfile']['type'] != "image/gif") {
 echo "Sorry, we only allow uploading GIF images";
 exit;
 }
 $uploaddir = 'uploads/';
 $uploadfile = $uploaddir . basename($_FILES['uploadedfile']['name']);
 if (move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $uploadfile)) {
 echo "File is valid, and was successfully uploaded.n";
 } else {
 echo "File uploading failed.n";
 }
 ?>
Read this for more info if you like: http://resources.infosecinstitute.com/file-upload-vulnerabilities/

if not (rwx) and only (w) to a temporary file even, the spread of malware is real no matter if the file is executed at 
the time is upload.

For the JSON reply:

A hacker exploits a JSON (javascript) object that has information of interest for example holding some values for 
cookies. A lot of times that exploits the same policy origin. The JSON object returned from a server can be forged over 
writing javascript function that create the object. This happens because of the same origin policy problem in browsers 
that cannot say if js execution it different for two different sites.


Sincerely ,
T. Imbrahim


--- lcamtuf () coredump cx wrote:

From: Michal Zalewski <lcamtuf () coredump cx>
To: M Kirschbaum <pr0ix () yahoo co uk>
Cc: "full-disclosure () lists grok org uk" <full-disclosure () lists grok org uk>
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Date: Sat, 15 Mar 2014 09:46:27 -0700

As a professional penetration tester, [...]
The JSON service responds to GET requests , and there is a good chance that
the service is also vulnerable to JSON Hijacking attacks.

That's... not how XSSI works.

To have a script inclusion vulnerability, you need to have a vanilla
GET response that contains some user-specific secrets that are
returned to the caller based on HTTP cookies (or, less likely, other
"ambient" credentials). For example, a script response that discloses
the contents of your mailbox or the list of private contacts would be
of concern.

Further, the response must be in a format that can be not only loaded,
but also inspected by another site opened in your browser; most types
of JSONP fall into this category, but JSON generally does not,
essentially because of how the meaning of "{" is overloaded in JS
depending on where it appears in a block of code.

Last but not least, the final piece of the puzzle is that the response
must be served at a URL that can be guessed by third parties who don't
have access to your account.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_____________________________________________________________
Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]