Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: nVidia.com [Url Redirection flaw]

From: mac.user () mac hush com
Date: Tue, 24 Mar 2009 15:50:54 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

dude... off list...  "fuera de la lista" ?  Can anyone help us
overcome this language barrier?

On Tue, 24 Mar 2009 15:46:02 -0400 Rubén Camarero
<rjcamarero () gmail com> wrote:

Perhaps.

On Tue, Mar 24, 2009 at 3:39 PM, <mac.user () mac hush com> wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Are you even aware that you've been arguing with me?  Perhaps we
should move this discussion off-list, so we don't annoy the rest

of

the bugtrackers...

On Tue, 24 Mar 2009 15:34:32 -0400 Rubén Camarero
<rjcamarero () gmail com> wrote:

I am only stating that the bug posted here isn't serious. I

agree

with you
on the other issues, more or less anyways.

On Tue, Mar 24, 2009 at 3:30 PM, <mac.user () mac hush com> wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

nvidia has a poor track record with security.  I'm citing two
examples.  One is on their website, and one is in their

drivers.

Can you cite anything they have done right?  Your effective

arguing

strategies makes you a top nominee for Gadi Evron's no-

swearing

event at defcon.

On Tue, 24 Mar 2009 15:27:09 -0400 Rubén Camarero
<rjcamarero () gmail com> wrote:

That example has nothing to do with this particular bug.

Using

multiple
exclamation or question marks does not help your ineffective
argument,
either.

On Tue, Mar 24, 2009 at 3:15 PM, <mac.user () mac hush com>

wrote:



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

With all due respect, my corned beef and sauerkraut

smelling

friend, I am simply pointing out that when it comes to

security

nvidia is clueless.  Do you not remember the great debacle

of

2006

when Rapid7 showed off remote kernel exploitation of the

nvidia

driver by webbrowser?  http://kerneltrap.org/node/7228

should

refresh your memory.  40 million lost credit cards but at

least

they put nvidia in their rightful place and have their

priorities

in order.  And speaking of security concerns and nvidia,

why

do

you

think Microsoft didn't use nvidia in their trusted gaming

platform

xbox360????  Everyone in our industry knows that nvidia is

shit

for

security, even their javascript sucks!!!


On Tue, 24 Mar 2009 14:45:46 -0400 Rubén Camarero
<rjcamarero () gmail com> wrote:

If ATI and nVidia were web content developers, this may

be a

valid

argument,
but they are not. They are graphics vendors, hardware and
software. Not to
mention the fact that this isn't a "serious" issue. RFI

is a

serious issue,
IMHO.

On Tue, Mar 24, 2009 at 1:37 PM, <mac.user () mac hush com>

wrote:



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have been saying for years that ATI is better than

nvidia

and

here is just one more reason!  You don't see serious

issues

like

this with ATI's website.

On Tue, 24 Mar 2009 10:13:21 -0400 Lorenzo Vogelsang
<vogelsang.lorenzo () gmail com> wrote:

Hi all, i'm new to the list. I'm an italian student

who

likes

security
topics in the I.C.T world..

Browsing the nVdia web sites, i have found a very

basic

Url

redirection
flaw. Infact when downloading a driver i get Urls like

this:












http://www.nvidia.com/content/DriverDownload/download_confirmat

i

o

n

.









asp?kw=&url=http://us.download.nvidia.com/Windows/179.48/179.48

_

n

o

t

ebook_winxp_64bit_beta.exe

and connecting to this another Url











http://www.nvidia.com/content/DriverDownload/download_confirmat

i

o

n

.

asp?kw=&url=http://www.google.it


will redirects succefully to www.google.it! (or other

web

site

of

your
choice , or downloadble content..)


Enjoy!

Lorenzo Vogelsang.

-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at

https://www.hushtools.com/verify










wpwEAQMCAAYFAknJGmEACgkQfuF4tUz/X+KtEQP/fg36QI6yY9Hw6Q5eOsLUBGtP

j

g

9

/









kxEmlsVdQl23h92FU75bHiOHhDMo7nLMCbHH7HHZDMvEw05OCDBaOqTx54xyTHBa

y

H

4

s









xf4joU8LSrTOFrklgT7tGXr+AMIfi4ypgIXzRv6Gx0vD3EAKIR3KWL4qFtg/OahH

k

l

7

q

jOiz888=
=2MOh
-----END PGP SIGNATURE-----

--
Can't pay your bills?  Click here to learn about filing

for

bankruptcy.










http://tagline.hushmail.com/fc/BLSrjkqhNChbdTZRNxLsL4IFkcZYo7APt

e

6

M

FdjI1xth2KPqL4lm3VupTlG/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-

charter.html

Hosted and sponsored by Secunia - http://secunia.com/





--
Rubén Camarero
CCNA, CISSP

-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at

https://www.hushtools.com/verify








wpwEAQMCAAYFAknJMWoACgkQfuF4tUz/X+LbggP9GPddhDh3krXB3ieyORr5Yd2Rd

E

6

l







foRgQOUAaXbnpxc+d2XFByNe8wAYHF+dheNou5cb0XBF99NmW4wt2uoR57/7PmSp6

z

d

M







1bsBzocX6Kkpbl38bMf4ZG/OlEz7cqfNOGExPE5cicr2Y462fk/BAWfUWV6B82ieW

z

4

Z

BbBeab8=
=ZiqN
-----END PGP SIGNATURE-----

--
Click to compare and save on auto insurance.







http://tagline.hushmail.com/fc/BLSrjkqePmfJGmpcWA2Xcaz2NXhk84bAM4

H

x

iigERihBJ2ZwE0pe0OeJOxS/






--
Rubén Camarero
CCNA, CISSP

-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at

https://www.hushtools.com/verify

Version: Hush 3.0




wpwEAQMCAAYFAknJNO4ACgkQfuF4tUz/X+JobQP/fKdv2DPbFGfAh8+N6GsdKO7ct1

B

P




2h0sXd57nD6bKwOi8CiOZR3/fMjyl72R0xuS0Gtq8PhkX/mMo8GGaHw0h8DdHJ0DIA

b

j




kAY4Pc/oNXtRaO0UoCT0CJA04M9wIgdR0batMc9N0PHhI7Z041w7ycSohm9Q5u6UR9

i

B

R3X0sRc=
=ucxK
-----END PGP SIGNATURE-----

--
Click here for free information on how to reduce your debt by

filing for

bankruptcy.




http://tagline.hushmail.com/fc/BLSrjkqhNCha09Yyoll97un6Gs8mL19gd7D

3

JKfsHHWsIQfxfuSbfcMocNq/






--
Rubén Camarero
CCNA, CISSP

-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at

https://www.hushtools.com/verify




wpwEAQMCAAYFAknJNwcACgkQfuF4tUz/X+IVsQP9HDa6vSSub9nXDYpiBgz1grUqoYb
D



nVd0ee3CSbBzArov2PK6abL0aNgR4SfDj//dlq+AzUZJz02yCR61+ysv8U7uSUrRmdj
D



rXjQl21C5vWMAe9FErKxEJFqit5bNhT6NBC0aHftxDnhOiK5VxmrvwiJd9s2VMXp0ob
4

xSpn07c=
=4By0
-----END PGP SIGNATURE-----

--
Looking for insurance?  Click to compare and save big.



http://tagline.hushmail.com/fc/BLSrjkqeRJSlzyuuSygReQTvYYxFkBk62kTe
jAkm3iyoX0vxnOgDXtb7ISM/






--
Rubén Camarero
CCNA, CISSP

-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQMCAAYFAknJOZ4ACgkQfuF4tUz/X+J8uQP/dRdtZikUJJS3hakKd+ADx8isnUxc
kJIC3uzG5yp8XFJFWkCR2DaM5tBrLhXhEiIzEzoXJ95M9Gok8+GVH2nvYex6j7bde/tx
zvzLqYbum0z96D+c0Ifv2Rk2VCTSGJ+XTlOkCSyO8aASec/XLCWxm9tkLa9wSYtj7VCf
KoShv74=
=0Wmx
-----END PGP SIGNATURE-----

--
Become a medical transcriptionist at home, at your own pace.
 http://tagline.hushmail.com/fc/BLSrjkqfMmc87Q7V886A2pQQnP3wiFzt0CJlXLvT1qRvFNCBvDAhrNqJ8Mw/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: