Hello, I am a security professional and risk manager in UAE. I support that the remote file upload on YouTube is a vulnerability, and I am sure about this. Not the slightest doubts...
There is a different between a vulnerability and an exploit. The vulnerability here is the lack of any file extension checks, content type verification “$_FILES['uploadedfile']['type']” holds the value of the MIME type. A hacker can easily upload files using a script that allows the sending or tampering of HTTP POST requests. e.g: <?php //Demo1.php if($_FILES['uploadedfile']['type'] != "image/gif") { echo "Sorry, we only allow uploading GIF images"; exit; } $uploaddir = 'uploads/'; $uploadfile = $uploaddir . basename($_FILES['uploadedfile']['name']); if (move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $uploadfile)) { echo "File is valid, and was successfully uploaded.n"; } else { echo "File uploading failed.n"; } ?> Read this for more info if you like: http://resources.infosecinstitute.com/file-upload-vulnerabilities/ if not (rwx) and only (w) to a temporary file even, the spread of malware is real no matter if the file is executed at the time is upload. For the JSON reply: A hacker exploits a JSON (javascript) object that has information of interest for example holding some values for cookies. A lot of times that exploits the same policy origin. The JSON object returned from a server can be forged over writing javascript function that create the object. This happens because of the same origin policy problem in browsers that cannot say if js execution it different for two different sites. Sincerely , T. Imbrahim --- lcam...@coredump.cx wrote: From: Michal Zalewski <lcam...@coredump.cx> To: M Kirschbaum <pr...@yahoo.co.uk> Cc: "full-disclosure@lists.grok.org.uk" <full-disclosure@lists.grok.org.uk> Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC Date: Sat, 15 Mar 2014 09:46:27 -0700 > As a professional penetration tester, [...] > The JSON service responds to GET requests , and there is a good chance that > the service is also vulnerable to JSON Hijacking attacks. That's... not how XSSI works. To have a script inclusion vulnerability, you need to have a vanilla GET response that contains some user-specific secrets that are returned to the caller based on HTTP cookies (or, less likely, other "ambient" credentials). For example, a script response that discloses the contents of your mailbox or the list of private contacts would be of concern. Further, the response must be in a format that can be not only loaded, but also inspected by another site opened in your browser; most types of JSONP fall into this category, but JSON generally does not, essentially because of how the meaning of "{" is overloaded in JS depending on where it appears in a block of code. Last but not least, the final piece of the puzzle is that the response must be served at a URL that can be guessed by third parties who don't have access to your account. /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _____________________________________________________________ Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/