Hey, At least to me I am security paranoid. Remote File Inclusion of files to a trusted network, seems like a well backed up vulnerability. I think we are talking about Google here not your favourite's pizza website. I personally congratulate to the author for finding it, whether probing it or not. And I have nothing to do with the authors, just supporting what is right.
I definitely would patch my computer if I discovered that somebody could upload files to my computer, even thought if couldn't 'probe' them. --- joxeanko...@yahoo.es wrote: From: Joxean Koret <joxeanko...@yahoo.es> To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC Date: Mon, 17 Mar 2014 12:27:27 +0100 Hi, The only probable way of exploiting it I can see would be if the servers at Google where the files are uploaded would perform some specific tasks with such files that could result in exploiting a vulnerability in any of the used software (and this is something the "discoverer" failed to probe). An example: Google malware scans the uploaded file with some AV engine and the file is actually an exploit targeting one or more AV products. I don't think this is the case and, even in this case, there wouldn't be any Google's vulnerability but, rather, a vulnerability in another product from another company. So, in short: this conversation is stupid. There is no vulnerability we can see here and, if there is, it cannot be probed by the discoverer and he and his buddies attach to either ad hominem arguments or to statements like "I am XXX with YYY years of experience doing ZZZ" mistakenly thinking it could back any of their paranoias. What else do we need to discuss here? I think it's time to stop this conversation. And, yes, I know that sending an e-mail to ask for stopping a conversation on FD is stupid too. Regards, Joxean Koret _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _____________________________________________________________ Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
