Correct. The mime type can be circumvented. We can confirm this to be a valid vulnerability.
For the PoC's : http://news.softpedia.com/news/Expert-Finds-File-Upload-Vulnerability-in-YouTube-Google-Denies-It-s-a-Security-Issue-431489.shtml On Fri, Mar 14, 2014 at 8:40 PM, Krzysztof Kotowicz <kkotowicz...@gmail.com>wrote: > > 2014-03-14 20:28 GMT+01:00 Nicholas Lemonias. <lem.niko...@googlemail.com> > : > > Then that also means that firewalls and IPS systems are worthless. Why >> spend so much time protecting the network layers if a user can send any >> file of choice to a remote network through http... >> > > No, they are not worthless per se, but of course for an user content > publishing service they need to allow file upload over HTTP/s. How far > those files are inspected and later processed is another question - and > that could lead to a vulnerability that you DIDN'T demonstrate. > > You just uploaded a .sh file. There's no harm in that as nowhere did you > prove that that file is being executed. Similarly (and that has been > pointed out in this thread) you could upload a PHP-GIF polyglot file to a > J2EE application - no vulnerability in this. Prove something by overwriting > a crucial file, tricking other user's browser to execute the file as HTML > from an interesting domain (XSS), popping a shell, triggering XXE when the > file is processed as XML, anything. Then that is a vulnerability. So far - > sorry, it is not, and you've been told it repeatedly. > > > As for the uploaded files being persistent, there is evidence of that. >> For instance a remote admin could be tricked to execute some of >> the uploaded files (Social Engineering). >> > > Come on, seriously? Social Engineering can make him download this file > from pastebin just as well. That's a real stretch. > > IMHO it is not a security issue. You're uploading a file to some kind of > processing queue that does not validate a file type, but nevertheless only > processes those files as video - there is NO reason to suspect otherwise, > and I'd like to be proven wrong here. Proven as in PoC. > > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
