You are trying to execute an sh script through a video player. That's an exec() command. So its the wrong way about accessing the file.
On Fri, Mar 14, 2014 at 8:20 PM, R D <rd.secli...@gmail.com> wrote: > No it's not. As Chris and I are saying, you don't have proof your file is > accessible to others, only that is was uploaded. Now, you see, when you > upload a video to youtube, you get the adress where it will be viewable in > the response. In your case : > > {"sessionStatus":{"state":"FINALIZED","externalFieldTransfers":[{"name":"file","status":"COMPLETED","bytesTransferred":113,"bytesTotal":113,"formPostInfo":{"url":" > http://www.youtube.com/upload/rupio?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026file_id=000 > ","cross_domain_url":" > http://upload.youtube.com/?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw"},"content_type":"text/x-sh"}],"additionalInfo":{"uploader_service.GoogleRupioAdditionalInfo":{"completionInfo":{"status":"SUCCESS","customerSpecificInfo":{"status": > "ok", *"video_id": "KzKDtijwHFI"* > }}}},"upload_id":"AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw"}} > And what do we get when we browse to > https://youtube.com/watch?v=KzKDtijwHFI ? > Nothing. > Can you send me a link where I can access the file content of the > arbitrary file you uploaded? > Are you sure this json response, or this file, will be there in a month? > Or in a year? Is the fact that this json response exists a threat to > youtube? Can you quantify how of a threat? How much, in dollars, does it > hurt their business? > > --Rob > > > On Fri, Mar 14, 2014 at 9:08 PM, Nicholas Lemonias. < > lem.niko...@googlemail.com> wrote: > >> My claim is now verified.... >> >> Cheers! >> >> >> On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. < >> lem.niko...@googlemail.com> wrote: >> >>> http://upload.youtube.com/?authuser=0&upload_id= >>> AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1-- >>> uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin= >>> CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw >>> >>> That information can be queried from the db, where the metadata are >>> saved. The files are being saved persistently , as per the above example. >>> >>> >>> On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. < >>> lem.niko...@googlemail.com> wrote: >>> >>>> >>>> http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw >>>> >>>> That information can be queried from the db, where the metadata are >>>> saved. The files are being saved persistently , as per the above example. >>>> >>>> >>>> On Fri, Mar 14, 2014 at 8:00 PM, Chris Thompson < >>>> christhom7...@gmail.com> wrote: >>>> >>>>> Hi Nikolas, >>>>> >>>>> Please do read (and understand) my entire email before responding - I >>>>> understand your frustration trying to get your message across but maybe >>>>> this will help. >>>>> >>>>> Please put aside professional pride for the time being - I know how it >>>>> feels to be passionate about something yet have others simply not >>>>> understand. >>>>> >>>>> Let me try and bring some sanity to the discussion and explain to you >>>>> why people maybe not agreeing with you. >>>>> >>>>> You (rightly so) highlighted what you believe to be an issue in a >>>>> Youtube whereby it appears (to you) than you can upload an arbitrary file. >>>>> If you can indeed do this as you suspect then your points are valid and >>>>> you >>>>> "may" be able to cause various issues associated with it such as DOS etc - >>>>> especially if the uploaded files cannot or are not tracked. >>>>> >>>>> However... >>>>> >>>>> Consider than you are talking to an API and what you are getting back >>>>> (the JSON response) in your example is simply a response from the API to >>>>> say the file you uploaded has been received and saved. >>>>> >>>>> Now, as you no doubt know, when you upload a regular movie to YouTube, >>>>> once uploaded it goes away and does some post-processing, converting it to >>>>> flash for example. What's to say that there isn't some verification aspect >>>>> to this post-processing that checks if the file is intact a valid movie >>>>> and >>>>> if not removes it. >>>>> >>>>> If you could for example demonstrate that the file was indeed >>>>> persistent, by being able to retrieve it for example then again, you would >>>>> have solid ground to claim an issue however your claims at this point are >>>>> based on an assumption.... Let me explain. >>>>> >>>>> 1. You have demonstrated than you can send "any" file to an API and >>>>> the API returned an acknowledgment of receiving (and saving) the file. >>>>> >>>>> 2. You / we don't know what Google do with files once they have been >>>>> received from the API - maybe they process them and validate them - we >>>>> simply don't know. >>>>> >>>>> 3. You have hypothesized that you can retrieve the file by >>>>> manipulating tokens etc and you may be right, but you have not >>>>> demonstrated >>>>> it as such. >>>>> >>>>> Because of this, you seem to have made a CLAIM that you can upload >>>>> arbitrary files to Google however SHOWN that you can simply send files to >>>>> an API and an API responds in a certain way. >>>>> >>>>> I am NOT saying you haven't found an issue, what I am saying is that >>>>> you need to demonstrate that the issue is real and thus can be abused. If >>>>> the Google service simply verifies all uploaded files once they are >>>>> uploaded and discards them if invalid, then you haven't really found >>>>> anything. >>>>> >>>>> If you were to prove that you were able to retrieve this uploaded file >>>>> then how could anyone dispute your bug. >>>>> >>>>> Hope this helps.... >>>>> >>>>> Cheers! >>>>> >>>> >>>> >>> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/