Care to report the same to Dropbox and Pastebin? It's a gold mine, you know...
2014-03-14 20:09 GMT+01:00 Nicholas Lemonias. <lem.niko...@googlemail.com>: > You are wrong, because we do have proof of concepts. If we didn't have > them, then there would be no case. > > But if there are video clips, images demonstrating impact - in which case > arbitrary file uploads (which is a write() call ) to a remote network, then > it is a vulnerability. It is not about the bounty, but rather about not > defying academic literature and widely recognised practise. > > Attacking the arguer, won't make the bug to go away. > > Best, > > Nicholas. > > > On Fri, Mar 14, 2014 at 7:01 PM, Krzysztof Kotowicz < > kkotowicz...@gmail.com> wrote: > >> Nicholas, seriously, just stop. >> >> You have found an 'arbitrary file upload' in a file hosting service and >> claim it is a serious vulnerability. With no proof that your 'arbitrary >> file' is being used anywhere in any context that would lead to code >> execution - on server or client side. You cite OWASP documents (which are >> unrelated to the case), academia papers from 1975 just to find a reason >> it's theoretically serious, not paying any attention to what service you're >> actually attacking and what have you really achieved in that (which is >> demonstrating a filtering weakness at best, low risk). >> >> Everyone on this list so far explains why you're wrong, but you just >> won't stop. So you start throwing out certificates, your academia >> experience and your respected company. Then - name calling everyone else. >> Seriously, it's just a good laugh for most of us. >> >> Dude, please, just because you did not qualify for a bounty, there's no >> point in launching a whole campaign like you are. You're essentially >> following the path of Khalil Shreateh (the guy who posted on Zuckerberg FB >> wall) - he DID find a vuln though. Do you really want that? Go ahead, start >> a crowdsourcing campaign! >> >> >> >> >> >> 2014-03-14 19:40 GMT+01:00 Nicholas Lemonias. <lem.niko...@googlemail.com >> >: >> >>> We have many PoC's including video clips. We may upload for the security >>> world to see. >>> >>> However, this is not the way to treat security vulnerabilities. >>> Attacking the researcher and bringing you friends to do aswell, won't >>> mitigate the problem. >>> >>> >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
