Full Disclosure mailing list archives
Re: Fwd: Google vulnerabilities with PoC
From: "Nicholas Lemonias." <lem.nikolas () googlemail com>
Date: Fri, 14 Mar 2014 19:16:18 +0000
We are not asking for a payment. But at least a thank you for our efforts would do. Saying that it is not an issue, to upload remotely any file of choice, that is ridiculous for the organisation they represent. On Fri, Mar 14, 2014 at 7:09 PM, Nicholas Lemonias. < lem.nikolas () googlemail com> wrote:
You are wrong, because we do have proof of concepts. If we didn't have them, then there would be no case. But if there are video clips, images demonstrating impact - in which case arbitrary file uploads (which is a write() call ) to a remote network, then it is a vulnerability. It is not about the bounty, but rather about not defying academic literature and widely recognised practise. Attacking the arguer, won't make the bug to go away. Best, Nicholas. On Fri, Mar 14, 2014 at 7:01 PM, Krzysztof Kotowicz < kkotowicz+fd () gmail com> wrote:Nicholas, seriously, just stop. You have found an 'arbitrary file upload' in a file hosting service and claim it is a serious vulnerability. With no proof that your 'arbitrary file' is being used anywhere in any context that would lead to code execution - on server or client side. You cite OWASP documents (which are unrelated to the case), academia papers from 1975 just to find a reason it's theoretically serious, not paying any attention to what service you're actually attacking and what have you really achieved in that (which is demonstrating a filtering weakness at best, low risk). Everyone on this list so far explains why you're wrong, but you just won't stop. So you start throwing out certificates, your academia experience and your respected company. Then - name calling everyone else. Seriously, it's just a good laugh for most of us. Dude, please, just because you did not qualify for a bounty, there's no point in launching a whole campaign like you are. You're essentially following the path of Khalil Shreateh (the guy who posted on Zuckerberg FB wall) - he DID find a vuln though. Do you really want that? Go ahead, start a crowdsourcing campaign! 2014-03-14 19:40 GMT+01:00 Nicholas Lemonias. <lem.nikolas () googlemail com:We have many PoC's including video clips. We may upload for the security world to see. However, this is not the way to treat security vulnerabilities. Attacking the researcher and bringing you friends to do aswell, won't mitigate the problem. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Fwd: Google vulnerabilities with PoC, (continued)
- Message not available
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC antisnatchor (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Mario Vilas (Mar 14)
- Message not available
- Message not available
- Message not available
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Message not available
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC J. Tozo (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Krzysztof Kotowicz (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Krzysztof Kotowicz (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC R D (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Mario Vilas (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Julius Kivimäki (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Nicholas Lemonias. (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Krzysztof Kotowicz (Mar 14)
- Re: Fwd: Google vulnerabilities with PoC Michal Zalewski (Mar 14)