Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
What drugs are you on Pedro RibeiroI wonder...?I express myviews, if you don't like don't watch them. You responses so farhave only been assy speculations so don't tell me Im wrong, and please don't say thing like that. I don't know who the other peopleis,but what is true in security I support. Why you would Google my name ... ?Is the English language causing you ill effects? --- ped...@gmail.com wrote:From: Pedro Ribeiro ped...@gmail.comTo: timbra...@techemail.comCc: full-disclosure@lists.grok.org.uk, Michal Zalewski lcam...@coredump.cx, mvi...@gmail.com, gynv...@coldwind.plSubject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoCDate: Mon, 17 Mar 2014 09:24:08 + On 16 Mar 2014 23:36, "T Imbrahim" timbra...@techemail.com wrote: The thread read Google vulnerabilities with PoC. From my understanding it was a RFI vulnerability on YouTube, and I voiced my support that this is a vulnerability. I also explained a JSON Hijacking case as a follow up, and you said you didn't follow. So I am just saying that treating security that way, there are other parties like NSA who welcome them happily. I think these guys - Alfred, Kirschbaum and Imbrahim are the OP's sock puppets. They are all first time posters from unusual free email providers jumping to defend the OP out of nowhere.If you search Google for their emails you only find references to this thread. They present similar (false and /or incorrect) arguments, talk about their extensive work experience, bash Google and its security team and send repeated emails with exactly the same text. This is turning into a madhouse... I hope this guy doesn't have access to a gun. Regards Pedro Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Hey, At least to me I am security paranoid. Remote File Inclusion of files to a trusted network, seems like a well backed up vulnerability. I think we are talking about Google here not your favourite's pizza website. I personally congratulate to the author for finding it, whether probing it or not. And I have nothing to do with the authors, just supporting what is right. I definitely would patch my computer if I discovered that somebody could upload files to my computer, even thought if couldn't 'probe' them. --- joxeanko...@yahoo.es wrote: From: Joxean Koret joxeanko...@yahoo.es To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC Date: Mon, 17 Mar 2014 12:27:27 +0100 Hi, The only probable way of exploiting it I can see would be if the servers at Google where the files are uploaded would perform some specific tasks with such files that could result in exploiting a vulnerability in any of the used software (and this is something the discoverer failed to probe). An example: Google malware scans the uploaded file with some AV engine and the file is actually an exploit targeting one or more AV products. I don't think this is the case and, even in this case, there wouldn't be any Google's vulnerability but, rather, a vulnerability in another product from another company. So, in short: this conversation is stupid. There is no vulnerability we can see here and, if there is, it cannot be probed by the discoverer and he and his buddies attach to either ad hominem arguments or to statements like I am XXX with YYY years of experience doing ZZZ mistakenly thinking it could back any of their paranoias. What else do we need to discuss here? I think it's time to stop this conversation. And, yes, I know that sending an e-mail to ask for stopping a conversation on FD is stupid too. Regards, Joxean Koret ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _ Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google vulnerabilities with PoC
Hello... I am an IT security expert for the Emirates National Oil Company. Google is my favourite search engine by far. Now I just read the report about the unrestricted upload issue and I think that the author is right that it is a securityproblem.This is a vulnerability because file name extension verification's not been used properly. The problem here has also been with the returned MIME type returned from the API$_FILES['uploadedfile']['type']” holds the value of the MIME type. Tampering the HTTP Post request can exploit the functionality.An attacker can bypass this protection by changing the MIME type of the shell.php to “image/gif”. So when an application checks the MIME type, it seems like a gif file. The application will then upload the malicious code shell.php. That is something that definitely needsto be fixed, if it hasn't already.Definetely a security problem.http://resources.infosecinstitute.com/file-upload-vulnerabilities/Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Hello,
I am a security professional and risk manager in UAE. I support that the remote
file upload on YouTube is a vulnerability, and I am sure about this. Not the
slightest doubts...
There is a different between a vulnerability and an exploit. The vulnerability
here is the lack of any file extension checks, content type verification
“$_FILES['uploadedfile']['type']” holds the value of the MIME type. A hacker
can easily upload files using a script that allows the sending or tampering of
HTTP POST requests.
e.g:
?php
//Demo1.php
if($_FILES['uploadedfile']['type'] != image/gif) {
echo Sorry, we only allow uploading GIF images;
exit;
}
$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['uploadedfile']['name']);
if (move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $uploadfile)) {
echo File is valid, and was successfully uploaded.n;
} else {
echo File uploading failed.n;
}
?
Read this for more info if you like:
http://resources.infosecinstitute.com/file-upload-vulnerabilities/
if not (rwx) and only (w) to a temporary file even, the spread of malware is
real no matter if the file is executed at the time is upload.
For the JSON reply:
A hacker exploits a JSON (javascript) object that has information of interest
for example holding some values for cookies. A lot of times that exploits the
same policy origin. The JSON object returned from a server can be forged over
writing javascript function that create the object. This happens because of the
same origin policy problem in browsers that cannot say if js execution it
different for two different sites.
Sincerely ,
T. Imbrahim
--- lcam...@coredump.cx wrote:
From: Michal Zalewski lcam...@coredump.cx
To: M Kirschbaum pr...@yahoo.co.uk
Cc: full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Date: Sat, 15 Mar 2014 09:46:27 -0700
As a professional penetration tester, [...]
The JSON service responds to GET requests , and there is a good chance that
the service is also vulnerable to JSON Hijacking attacks.
That's... not how XSSI works.
To have a script inclusion vulnerability, you need to have a vanilla
GET response that contains some user-specific secrets that are
returned to the caller based on HTTP cookies (or, less likely, other
ambient credentials). For example, a script response that discloses
the contents of your mailbox or the list of private contacts would be
of concern.
Further, the response must be in a format that can be not only loaded,
but also inspected by another site opened in your browser; most types
of JSONP fall into this category, but JSON generally does not,
essentially because of how the meaning of { is overloaded in JS
depending on where it appears in a block of code.
Last but not least, the final piece of the puzzle is that the response
must be served at a URL that can be guessed by third parties who don't
have access to your account.
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_
Are you a Techie? Get Your Free Tech Email Address Now! Visit
http://www.TechEmail.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Is this treated with the same way that says that Remote File Inclusion is not a security issue ? You don't follow? Implying ? I understand why nobody likes Google. If I 've found a vulnerability and been treated like that for trying to help, I would rather sell it to the black market or to some government. The NSA maybe is happy to buy a RFI on Google, im sure they could make good use of that. Google is very deceptive in security matters. --- lcam...@coredump.cx wrote: From: Michal Zalewski lcam...@coredump.cx To: timbra...@techemail.com Cc: pr...@yahoo.co.uk, full-disclosure full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC Date: Sat, 15 Mar 2014 10:59:40 -0700 A hacker exploits a JSON (javascript) object that has information of interest for example holding some values for cookies. A lot of times that exploits the same policy origin. The JSON object returned from a server can be forged over writing javascript function that create the object. This happens because of the same origin policy problem in browsers that cannot say if js execution it different for two different sites. To be honest, I'm not sure I follow, but I'm fairly confident that my original point stands. If you believe that well-formed JSON objects without padding can be read across origins within the browser, I would love to see more information about that. (In this particular case, it still wouldn't matter because the response doesn't contain secrets, but it would certainly break a good chunk of the Internet.) JSONP is a different animal. /mz _ Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
The thread read Google vulnerabilities with PoC. From my understanding it was a RFI vulnerability on YouTube, and I voiced my support that this is a vulnerability. I also explained a JSON Hijacking case as a follow up, and you said you didn't follow. So I am just saying that treating security that way, there are other parties like NSA who welcome them happily. --- lcam...@coredump.cx wrote: From: Michal Zalewski lcam...@coredump.cx To: timbra...@techemail.com Cc: M Kirschbaum pr...@yahoo.co.uk, full-disclosure full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC Date: Sat, 15 Mar 2014 11:47:19 -0700 Is this treated with the same way that says that Remote File Inclusion is not a security issue ? I'm not sure how RFI came into play on this thread - the original report wasn't about RFI. I don't have an agenda here; I'm just trying to get to the bottom of it and make sure that we converge on a common understanding of the issue. As in any argument, it's fairly likely that one of us is wrong, and I accept that it could very well be me - I have been wrong quite a few times in my life, and it's always a valuable learning opportunity. I think it's unfortunate that the thread has devolved into various accusations and credential-slinging, because it reduces the likelihood of such a productive outcome. Please feel free to ping me directly any time, though - I'm happy to chat. Cheers, /mz _ Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
