On Thu, Mar 13, 2014 at 10:30 PM, Nicholas Lemonias. < lem.niko...@googlemail.com> wrote:
> We confirm this to be a valid vulnerability for the following reasons. > > The access control subsystem is defeated, resulting to arbitrary write > access of any file of choice. > > 1. You Tube defines which file types are permitted to be uploaded. > And...? > > 2. Exploitation is achieved by circumvention of web-based security > controls (namely http forms, which is a weak security measure). However, > exploitation of the issue results to unrestricted file uploads (any file of > choice ). Remote code execution may be possible either through social > engineering , or by stochastically rewriting an existing file-structure in > the CDN. > So in ohter words, you haven't proven it. The upload in itself is not a vulnerability (and if you understood that it is, please read again that OWASP document). > > 3. This directly impacts the integrity of the service since modification > of information occurs by circumvention. Renaming the uploaded files can be > achieved through YouTube's inherent video manager. > How does it impact the integrity? Again, unexpected functionality does not necessarily equal exploitation. > > 4. Denial of Service attacks are feasible since we bypass all security > restrictions. This directly impacts the availability of the service. > Not proven either. At this point I feel you're just making stuff up. All you did was upload stuff you can't download afterwards. > > 5. Malware propagation is possible, if the planted code get's executed > through social engineering or by re-writing a valid file system structure. > > Again, you need to be able to download the stuff you uploaded, and have it executed directly. Otherwise you could do the same thing more efficiently with Google Drive. > > 6) All uploaded files can be downloaded through Google Take Out, if past > the Content ID filtering algorithm (through file header obfuscation and > encryption). > You need to explain how that is an attack vector. > > > Best Regards, > Nicholas Lemonias > Advanced Information Security Corp. > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.”
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
