_____ .___ _________
/ _ \ | |/ _____/
/ /_\ \| |\_____ \
/ | \ |/ \
\____|__ /___/_______ /
\/ \/ Corporation
Google's YouTube Arbitrary File Upload Vulnerability Report
##################################################
Author: Mr Nicholas Lemonias. (Information Security Specialist)
Credits: Advanced Information Security Corporation, (USA)
Type: Web Application / Unrestricted File Upload
(Upload of other file-formats not supported by default function)
########################################################
Live PoC - Confirming completion of arbitrary uploads to Google's Servers,
as of today.
############################################################
http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
PoC Image: http://oi59.tinypic.com/fdg4mu.jpg
File Uploads in PoC: Bash Script Upload
Full report can be found at:
http://dl.packetstormsecurity.net/1403-exploits/Google-Report2702.pdf
Thanks,
Disclaimer
##################################
The views expressed in the publications do not imply endorsement. Advanced
Information Security Corporation is not responsible, and will not be held
liable for any damages results from the use or distribution of
such information in any way. All information are posted on an " AS IS "
condition, under the FOI.
All material on these pages, including without limitation text, logos,
icons, photographs and all other artwork, is copyright material of
Advanced Information Security Corporation, unless otherwise stated.
Unauthorised copy, distribution or reproduction of information, contained
in this report, is strictly prohibited.
Therefore use of this material may only be made with the express, prior
written permission of Advanced Information Security Corporation who is the
author of this advisory;
Material provided by any third party, including material obtained through
links to other websites, is likely to be the copyright material of the
author. Permission to copy or otherwise use such material must be obtained
from the author.
Advanced Information Security seeks to ensure that information contained in
these pages is accurate at all times.
However, no liability or responsibility is accepted arising from reliance
upon the information contained in these pages or any other information
accessed via this site, including without limitation for information
reached via links on this site to external sites.
This vulnerability report is always posted for the wider benefit of the
security community, to help mature the practise and for education
purposes, again on an "AS IS" condition and without any warranties.
Advanced Information Security disclaims all warranties, including the
warranty of merchantability and capability fit for a particular purpose;
Please note that information contained are posted under the FOI, on an 'AS
IS condition', and as per best security practise.
####################################################################
* Copyrights Advanced Information Security Corp (c), 2014 *
/ _ \ | |/ _____/
/ /_\ \| |\_____ \
/ | \ |/ \
\____|__ /___/_______ /
\/ \/ Corporation
Google's YouTube Arbitrary File Upload Vulnerability Report
##################################################
Author: Mr Nicholas Lemonias. (Information Security Specialist)
Credits: Advanced Information Security Corporation, (USA)
Type: Web Application / Unrestricted File Upload
(Upload of other file-formats not supported by default function)
########################################################
Live PoC - Confirming completion of arbitrary uploads to Google's Servers,
as of today.
############################################################
http://upload.youtube.com/?authuser=0&upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw&origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
PoC Image: http://oi59.tinypic.com/fdg4mu.jpg
File Uploads in PoC: Bash Script Upload
Full report can be found at:
http://dl.packetstormsecurity.net/1403-exploits/Google-Report2702.pdf
Thanks,
Disclaimer
##################################
The views expressed in the publications do not imply endorsement. Advanced
Information Security Corporation is not responsible, and will not be held
liable for any damages results from the use or distribution of
such information in any way. All information are posted on an " AS IS "
condition, under the FOI.
All material on these pages, including without limitation text, logos,
icons, photographs and all other artwork, is copyright material of
Advanced Information Security Corporation, unless otherwise stated.
Unauthorised copy, distribution or reproduction of information, contained
in this report, is strictly prohibited.
Therefore use of this material may only be made with the express, prior
written permission of Advanced Information Security Corporation who is the
author of this advisory;
Material provided by any third party, including material obtained through
links to other websites, is likely to be the copyright material of the
author. Permission to copy or otherwise use such material must be obtained
from the author.
Advanced Information Security seeks to ensure that information contained in
these pages is accurate at all times.
However, no liability or responsibility is accepted arising from reliance
upon the information contained in these pages or any other information
accessed via this site, including without limitation for information
reached via links on this site to external sites.
This vulnerability report is always posted for the wider benefit of the
security community, to help mature the practise and for education
purposes, again on an "AS IS" condition and without any warranties.
Advanced Information Security disclaims all warranties, including the
warranty of merchantability and capability fit for a particular purpose;
Please note that information contained are posted under the FOI, on an 'AS
IS condition', and as per best security practise.
####################################################################
* Copyrights Advanced Information Security Corp (c), 2014 *