Let's try some scenarios and if those can be pulled out then I'd say it's safe to assume this is an issue:
1. Upload a webshell (in a war, php, asp[x], jsp or similar file) and have it executed by YouTube; 2. Upload a malicious file (pdf, swf, jar or similar file which exploits a known or unknown vulnerability in the respective aps) and have it served by YouTube; 3. Upload a file which alters the behavior of the YouTube application (i.e., a configuration file, HTML or Javascript template, even a UI image). Otherwise you just uploaded a file which went into a bitbucket, but you have no way of pulling this file out of said bitbucket in a way that can cause harm to either the application or its users. Should YouTube restrict file uploads to known valid mime types? Sure, but that's only how you got the data in there to begin with. It's what happens after the data is in that will make all the difference. On Mon, Mar 17, 2014 at 10:47 AM, Mario Vilas <mvi...@gmail.com> wrote: > > On Mon, Mar 17, 2014 at 2:25 PM, T Imbrahim <timbra...@techemail.com>wrote: > >> I definitely would patch my computer if I discovered that somebody could >> upload files to my computer, even thought if couldn't 'probe' them. > > > 1) I don't think you understood the meaning of the word "probe" in this > context, Nikolas, > 2) Does that mean you believe Dropbox is vulnerable to remote file upload > too? > > > -- > “There's a reason we separate military and the police: one fights > the enemy of the state, the other serves and protects the people. When > the military becomes both, then the enemies of the state tend to become the > people.” > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- “If debugging is the process of removing software bugs, then programming must be the process of putting them in.” - *Edsger Dijkstra*
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
