And I am not referring just to Google. But for those people who support that remote uploads to a trusted network is not an issue. Then that also means that firewalls and IPS systems are worthless. Why spend so much time protecting the network layers if a user can send any file of choice to a remote network through http.
On Fri, Mar 14, 2014 at 7:20 PM, Nicholas Lemonias. < lem.niko...@googlemail.com> wrote: > And I am not referring just to Google. But for those people who support > that remote uploads to a trusted network is not an issue. Then that also > means that firewalls and IPS systems are worthless. Why spend so much time > protecting the network layers if a user can send any file of choice to a > remote network... > > > > > On Fri, Mar 14, 2014 at 7:15 PM, Krzysztof Kotowicz < > kkotowicz...@gmail.com> wrote: > >> Care to report the same to Dropbox and Pastebin? It's a gold mine, you >> know... >> >> >> 2014-03-14 20:09 GMT+01:00 Nicholas Lemonias. <lem.niko...@googlemail.com >> >: >> >> You are wrong, because we do have proof of concepts. If we didn't have >>> them, then there would be no case. >>> >>> But if there are video clips, images demonstrating impact - in which >>> case arbitrary file uploads (which is a write() call ) to a remote network, >>> then it is a vulnerability. It is not about the bounty, but rather about >>> not defying academic literature and widely recognised practise. >>> >>> Attacking the arguer, won't make the bug to go away. >>> >>> Best, >>> >>> Nicholas. >>> >>> >>> On Fri, Mar 14, 2014 at 7:01 PM, Krzysztof Kotowicz < >>> kkotowicz...@gmail.com> wrote: >>> >>>> Nicholas, seriously, just stop. >>>> >>>> You have found an 'arbitrary file upload' in a file hosting service and >>>> claim it is a serious vulnerability. With no proof that your 'arbitrary >>>> file' is being used anywhere in any context that would lead to code >>>> execution - on server or client side. You cite OWASP documents (which are >>>> unrelated to the case), academia papers from 1975 just to find a reason >>>> it's theoretically serious, not paying any attention to what service you're >>>> actually attacking and what have you really achieved in that (which is >>>> demonstrating a filtering weakness at best, low risk). >>>> >>>> Everyone on this list so far explains why you're wrong, but you just >>>> won't stop. So you start throwing out certificates, your academia >>>> experience and your respected company. Then - name calling everyone else. >>>> Seriously, it's just a good laugh for most of us. >>>> >>>> Dude, please, just because you did not qualify for a bounty, there's no >>>> point in launching a whole campaign like you are. You're essentially >>>> following the path of Khalil Shreateh (the guy who posted on Zuckerberg FB >>>> wall) - he DID find a vuln though. Do you really want that? Go ahead, start >>>> a crowdsourcing campaign! >>>> >>>> >>>> >>>> >>>> >>>> 2014-03-14 19:40 GMT+01:00 Nicholas Lemonias. < >>>> lem.niko...@googlemail.com>: >>>> >>>>> We have many PoC's including video clips. We may upload for the >>>>> security world to see. >>>>> >>>>> However, this is not the way to treat security vulnerabilities. >>>>> Attacking the researcher and bringing you friends to do aswell, won't >>>>> mitigate the problem. >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Full-Disclosure - We believe in it. >>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>> >>>> >>>> >>> >> >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/