Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Fwd: Google vulnerabilities with PoC
From: "T Imbrahim" <TImbrahim () techemail com>
Date: Mon, 17 Mar 2014 06:25:44 -0700

Hey,

At least to me I am security paranoid. Remote File Inclusion of files to a trusted network, seems like a well backed up 
vulnerability. I think we are talking about Google here not your favourite's pizza website. I personally congratulate 
to the author for finding it, whether probing it or not. And I have nothing to do with the authors, just supporting 
what is right. 

I definitely would patch my computer if I discovered that somebody could upload files to my computer, even thought if 
couldn't 'probe' them.
 


--- joxeankoret () yahoo es wrote:

From: Joxean Koret <joxeankoret () yahoo es>
To: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Date: Mon, 17 Mar 2014 12:27:27 +0100

Hi,

The only probable way of exploiting it I can see would be if the servers
at Google where the files are uploaded would perform some specific tasks
with such files that could result in exploiting a vulnerability in any
of the used software (and this is something the "discoverer" failed to
probe). An example: Google malware scans the uploaded file with some AV
engine and the file is actually an exploit targeting one or more AV
products. I don't think this is the case and, even in this case, there
wouldn't be any Google's vulnerability but, rather, a vulnerability in
another product from another company.

So, in short: this conversation is stupid. There is no vulnerability we
can see here and, if there is, it cannot be probed by the discoverer and
he and his buddies attach to either ad hominem arguments or to
statements like "I am XXX with YYY years of experience doing ZZZ"
mistakenly thinking it could back any of their paranoias.

What else do we need to discuss here? I think it's time to stop this
conversation. And, yes, I know that sending an e-mail to ask for
stopping a conversation on FD is stupid too.

Regards,
Joxean Koret



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_____________________________________________________________
Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]