[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC



Hello,

I am a security professional and risk manager in UAE. I support that the remote 
file upload on YouTube is a vulnerability, and I am sure about this. Not the 
slightest doubts... 

There is a different between a vulnerability and an exploit. The vulnerability 
here is the lack of any file extension checks, content type verification 
“$_FILES['uploadedfile']['type']” holds the value of the MIME type. A hacker 
can easily upload files using a script that allows the sending or tampering of 
HTTP POST requests.

e.g:

<?php
 //Demo1.php
 if($_FILES['uploadedfile']['type'] != "image/gif") {
 echo "Sorry, we only allow uploading GIF images";
 exit;
 }
 $uploaddir = 'uploads/';
 $uploadfile = $uploaddir . basename($_FILES['uploadedfile']['name']);
 if (move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $uploadfile)) {
 echo "File is valid, and was successfully uploaded.n";
 } else {
 echo "File uploading failed.n";
 }
 ?>
Read this for more info if you like: 
http://resources.infosecinstitute.com/file-upload-vulnerabilities/

if not (rwx) and only (w) to a temporary file even, the spread of malware is 
real no matter if the file is executed at the time is upload.

For the JSON reply:

A hacker exploits a JSON (javascript) object that has information of interest 
for example holding some values for cookies. A lot of times that exploits the 
same policy origin. The JSON object returned from a server can be forged over 
writing javascript function that create the object. This happens because of the 
same origin policy problem in browsers that cannot say if js execution it 
different for two different sites.


Sincerely ,
T. Imbrahim


--- lcamtuf@xxxxxxxxxxx wrote:

From: Michal Zalewski <lcamtuf@xxxxxxxxxxx>
To: M Kirschbaum <pr0ix@xxxxxxxxxxx>
Cc: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Date: Sat, 15 Mar 2014 09:46:27 -0700

> As a professional penetration tester, [...]
> The JSON service responds to GET requests , and there is a good chance that
> the service is also vulnerable to JSON Hijacking attacks.

That's... not how XSSI works.

To have a script inclusion vulnerability, you need to have a vanilla
GET response that contains some user-specific secrets that are
returned to the caller based on HTTP cookies (or, less likely, other
"ambient" credentials). For example, a script response that discloses
the contents of your mailbox or the list of private contacts would be
of concern.

Further, the response must be in a format that can be not only loaded,
but also inspected by another site opened in your browser; most types
of JSONP fall into this category, but JSON generally does not,
essentially because of how the meaning of "{" is overloaded in JS
depending on where it appears in a block of code.

Last but not least, the final piece of the puzzle is that the response
must be served at a URL that can be guessed by third parties who don't
have access to your account.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_____________________________________________________________
Are you a Techie? Get Your Free Tech Email Address Now! Visit 
http://www.TechEmail.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/