It's amazing how much dumber I feel for having read your drivel. Please for the love of <$diety> stop posting to this list.
-- W. Scott Lockwood III AMST Tech (SPI) GWB2009033817 http://www.shadowplayinternational.org/ "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) On Fri, Mar 14, 2014 at 9:48 PM, Nicholas Lemonias. <lem.niko...@googlemail.com> wrote: > Go to sleep. You have absolutely no understanding of the vulnerability, nor > you have the facts. > > If you want a full report ask Softpedia, because we aint releasing them. > > > On Fri, Mar 14, 2014 at 8:39 PM, R D <rd.secli...@gmail.com> wrote: >> >> >You are trying to execute an sh script through a video player. That's an >> > exec() command. >> No, it's not. That's an HTTP GET. Do you have such a poor understanding of >> how web applications work? Or did you just not read what I said? >> >> >So its the wrong way about accessing the file. >> This way, which is the standard way to access files on youtube, tells me >> the file doesn't exist. You have yet to prove the file you uploaded can be >> accessed or executed by anyone. For that matter, you have still to prove it >> can be discovered by anyone. That URL is hard to guess. >> And you have still to answer all my other questions, and most of the >> questions asked to you on this list. >> The burden of proof is on you, and you are making a fool of yourself by >> answering all the questions here with the same statements, and links to your >> PoC that doesn't proves anything, while everybody asks you for more >> evidence. >> Keep on the (good?) work, >> --Rob' >> >> >> On Fri, Mar 14, 2014 at 9:22 PM, Nicholas Lemonias. >> <lem.niko...@googlemail.com> wrote: >>> >>> You are trying to execute an sh script through a video player. That's an >>> exec() command. So its the wrong way about accessing the file. >>> >>> >>> On Fri, Mar 14, 2014 at 8:20 PM, R D <rd.secli...@gmail.com> wrote: >>>> >>>> No it's not. As Chris and I are saying, you don't have proof your file >>>> is accessible to others, only that is was uploaded. Now, you see, when you >>>> upload a video to youtube, you get the adress where it will be viewable in >>>> the response. In your case : >>>> >>>> {"sessionStatus":{"state":"FINALIZED","externalFieldTransfers":[{"name":"file","status":"COMPLETED","bytesTransferred":113,"bytesTotal":113,"formPostInfo":{"url":"http://www.youtube.com/upload/rupio?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026file_id=000","cross_domain_url":"http://upload.youtube.com/?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw"},"content_type":"text/x-sh"}],"additionalInfo":{"uploader_service.GoogleRupioAdditionalInfo":{"completionInfo":{"status":"SUCCESS","customerSpecificInfo":{"status": >>>> "ok", "video_id": >>>> "KzKDtijwHFI"}}}},"upload_id":"AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw"}} >>>> And what do we get when we browse to >>>> https://youtube.com/watch?v=KzKDtijwHFI ? >>>> Nothing. >>>> Can you send me a link where I can access the file content of the >>>> arbitrary file you uploaded? >>>> Are you sure this json response, or this file, will be there in a month? >>>> Or in a year? Is the fact that this json response exists a threat to >>>> youtube? Can you quantify how of a threat? How much, in dollars, does it >>>> hurt their business? >>>> >>>> --Rob >>>> >>>> >>>> On Fri, Mar 14, 2014 at 9:08 PM, Nicholas Lemonias. >>>> <lem.niko...@googlemail.com> wrote: >>>>> >>>>> My claim is now verified.... >>>>> >>>>> Cheers! >>>>> >>>>> >>>>> On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. >>>>> <lem.niko...@googlemail.com> wrote: >>>>>> >>>>>> >>>>>> http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw >>>>>> >>>>>> That information can be queried from the db, where the metadata are >>>>>> saved. The files are being saved persistently , as per the above example. >>>>>> >>>>>> >>>>>> On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. >>>>>> <lem.niko...@googlemail.com> wrote: >>>>>>> >>>>>>> >>>>>>> http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw >>>>>>> >>>>>>> That information can be queried from the db, where the metadata are >>>>>>> saved. The files are being saved persistently , as per the above >>>>>>> example. >>>>>>> >>>>>>> >>>>>>> On Fri, Mar 14, 2014 at 8:00 PM, Chris Thompson >>>>>>> <christhom7...@gmail.com> wrote: >>>>>>>> >>>>>>>> Hi Nikolas, >>>>>>>> >>>>>>>> Please do read (and understand) my entire email before responding - >>>>>>>> I understand your frustration trying to get your message across but >>>>>>>> maybe >>>>>>>> this will help. >>>>>>>> >>>>>>>> Please put aside professional pride for the time being - I know how >>>>>>>> it feels to be passionate about something yet have others simply not >>>>>>>> understand. >>>>>>>> >>>>>>>> Let me try and bring some sanity to the discussion and explain to >>>>>>>> you why people maybe not agreeing with you. >>>>>>>> >>>>>>>> You (rightly so) highlighted what you believe to be an issue in a >>>>>>>> Youtube whereby it appears (to you) than you can upload an arbitrary >>>>>>>> file. >>>>>>>> If you can indeed do this as you suspect then your points are valid >>>>>>>> and you >>>>>>>> "may" be able to cause various issues associated with it such as DOS >>>>>>>> etc - >>>>>>>> especially if the uploaded files cannot or are not tracked. >>>>>>>> >>>>>>>> However... >>>>>>>> >>>>>>>> Consider than you are talking to an API and what you are getting >>>>>>>> back (the JSON response) in your example is simply a response from the >>>>>>>> API >>>>>>>> to say the file you uploaded has been received and saved. >>>>>>>> >>>>>>>> Now, as you no doubt know, when you upload a regular movie to >>>>>>>> YouTube, once uploaded it goes away and does some post-processing, >>>>>>>> converting it to flash for example. What's to say that there isn't some >>>>>>>> verification aspect to this post-processing that checks if the file is >>>>>>>> intact a valid movie and if not removes it. >>>>>>>> >>>>>>>> If you could for example demonstrate that the file was indeed >>>>>>>> persistent, by being able to retrieve it for example then again, you >>>>>>>> would >>>>>>>> have solid ground to claim an issue however your claims at this point >>>>>>>> are >>>>>>>> based on an assumption.... Let me explain. >>>>>>>> >>>>>>>> 1. You have demonstrated than you can send "any" file to an API and >>>>>>>> the API returned an acknowledgment of receiving (and saving) the file. >>>>>>>> >>>>>>>> 2. You / we don't know what Google do with files once they have been >>>>>>>> received from the API - maybe they process them and validate them - we >>>>>>>> simply don't know. >>>>>>>> >>>>>>>> 3. You have hypothesized that you can retrieve the file by >>>>>>>> manipulating tokens etc and you may be right, but you have not >>>>>>>> demonstrated >>>>>>>> it as such. >>>>>>>> >>>>>>>> Because of this, you seem to have made a CLAIM that you can upload >>>>>>>> arbitrary files to Google however SHOWN that you can simply send files >>>>>>>> to an >>>>>>>> API and an API responds in a certain way. >>>>>>>> >>>>>>>> I am NOT saying you haven't found an issue, what I am saying is that >>>>>>>> you need to demonstrate that the issue is real and thus can be abused. >>>>>>>> If >>>>>>>> the Google service simply verifies all uploaded files once they are >>>>>>>> uploaded >>>>>>>> and discards them if invalid, then you haven't really found anything. >>>>>>>> >>>>>>>> If you were to prove that you were able to retrieve this uploaded >>>>>>>> file then how could anyone dispute your bug. >>>>>>>> >>>>>>>> Hope this helps.... >>>>>>>> >>>>>>>> Cheers! >>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Full-Disclosure - We believe in it. >>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>>> >>> >> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
