And I am not referring just to Google. But for those people who support that remote uploads to a trusted network is not an issue. Then that also means that firewalls and IPS systems are worthless. Why spend so much time protecting the network layers if a user can send any file of choice to a remote network...
On Fri, Mar 14, 2014 at 7:15 PM, Krzysztof Kotowicz <kkotowicz...@gmail.com>wrote: > Care to report the same to Dropbox and Pastebin? It's a gold mine, you > know... > > > 2014-03-14 20:09 GMT+01:00 Nicholas Lemonias. <lem.niko...@googlemail.com> > : > > You are wrong, because we do have proof of concepts. If we didn't have >> them, then there would be no case. >> >> But if there are video clips, images demonstrating impact - in which case >> arbitrary file uploads (which is a write() call ) to a remote network, then >> it is a vulnerability. It is not about the bounty, but rather about not >> defying academic literature and widely recognised practise. >> >> Attacking the arguer, won't make the bug to go away. >> >> Best, >> >> Nicholas. >> >> >> On Fri, Mar 14, 2014 at 7:01 PM, Krzysztof Kotowicz < >> kkotowicz...@gmail.com> wrote: >> >>> Nicholas, seriously, just stop. >>> >>> You have found an 'arbitrary file upload' in a file hosting service and >>> claim it is a serious vulnerability. With no proof that your 'arbitrary >>> file' is being used anywhere in any context that would lead to code >>> execution - on server or client side. You cite OWASP documents (which are >>> unrelated to the case), academia papers from 1975 just to find a reason >>> it's theoretically serious, not paying any attention to what service you're >>> actually attacking and what have you really achieved in that (which is >>> demonstrating a filtering weakness at best, low risk). >>> >>> Everyone on this list so far explains why you're wrong, but you just >>> won't stop. So you start throwing out certificates, your academia >>> experience and your respected company. Then - name calling everyone else. >>> Seriously, it's just a good laugh for most of us. >>> >>> Dude, please, just because you did not qualify for a bounty, there's no >>> point in launching a whole campaign like you are. You're essentially >>> following the path of Khalil Shreateh (the guy who posted on Zuckerberg FB >>> wall) - he DID find a vuln though. Do you really want that? Go ahead, start >>> a crowdsourcing campaign! >>> >>> >>> >>> >>> >>> 2014-03-14 19:40 GMT+01:00 Nicholas Lemonias. < >>> lem.niko...@googlemail.com>: >>> >>>> We have many PoC's including video clips. We may upload for the >>>> security world to see. >>>> >>>> However, this is not the way to treat security vulnerabilities. >>>> Attacking the researcher and bringing you friends to do aswell, won't >>>> mitigate the problem. >>>> >>>> >>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>> >>> >> >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
