If he can change the mime type, then he indeed may have an attack vector, e.g. he could upload a complete youtube-lookalike site and snatch credentials. If you can access the fake site via HTTPS with a youtube cert, it's an obvious vulnerability.
On 03/14/2014 07:05 AM, Mario Vilas wrote: > You're still missing the attack vector (and the point of the discussion > too, but that's painfully obvious). > > > On Fri, Mar 14, 2014 at 4:21 AM, Nicholas Lemonias. < > lem.niko...@googlemail.com> wrote: > >> >> Here's my evidence. >> >> Live Proof Of Concept >> ================== >> >> http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw >> >> >> >> {"sessionStatus":{"state":"FINALIZED","externalFieldTransfers":[{"name":"file","status":"COMPLETED","bytesTransferred":113,"bytesTotal":113,"formPostInfo":{"url":" >> http://www.youtube.com/upload/rupio?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026file_id=000 >> ","cross_domain_url":" >> http://upload.youtube.com/?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw"},"content_type":"text/x-sh"}],"additionalInfo":{"uploader_service.GoogleRupioAdditionalInfo":{"completionInfo":{"status":"SUCCESS","customerSpecificInfo":{"status": >> "ok", "video_id": >> "KzKDtijwHFI"}}}},"upload_id":"AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw"}} >> >> The above proof of concept demonstrates : >> >> 1. We have bypassed the security controls in Youtube and uploaded an >> unexpected file type. >> 2. The file is persistent and has not been deleted by YouTube. >> 3. It can be queried for information since it is assigned a unique >> upload_id. >> 4. It's successfully uploaded to youtube.com As you can see it give out >> the total bytes written to the remote network. >> 5. "content_type":"text/x-sh"}] -------> The file is a shell >> script script named 'file' >> 6. It can be enumerated by a non-authenticated user, remotely. >> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
