Full Disclosure mailing list archives

Re: nVidia.com [Url Redirection flaw]

From: Chris Evans <scarybeasts () gmail com>
Date: Wed, 25 Mar 2009 12:29:11 -0700

2009/3/25 Rubén Camarero <rjcamarero () gmail com>:

What great references. Owasp isn't the king of vulnerability information, of
course a website named XSSed is going to count this as super serious, and
while I respect Insecure.. these days, people have exploited web bugs to
their max (and I'm waiting for more), but they aren't directly serious.
DIRECTLY is the key word.


What about indirectly? People love to rant and rave about redirectors,
but none of it is informed. Sure, redirectors often feature in URLs
leading to malware etc. But that's irrelevant without click-through
rates and block rates on the redirected vs. non-redirected versions.
All the evidence I see is that the class of users we're trying to
protect will click on arbitrary links without care for the domain.
(And enter their passwords in any domain, without checking for https,
and etc. etc).

Cheers
Chris


2009/3/25 yersinia <yersinia.spiros () gmail com>


2009/3/24 Rubén Camarero <rjcamarero () gmail com>


If ATI and nVidia were web content developers, this may be a valid
argument, but they are not. They are graphics vendors, hardware and
software. Not to mention the fact that this isn't a "serious" issue. RFI is
a serious issue, IMHO.


Well, not everyone agreed with your opinion.

http://www.owasp.org/index.php/Open_redirect


http://www.xssed.com/article/26/Open_redirect_vulnerabilities_definition_and_prevention/


http://www.net-security.org/dl/insecure/INSECURE-Mag-17.pdf




--
Rubén Camarero
CCNA, CISSP

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

nVidia.com [Url Redirection flaw] Lorenzo Vogelsang (Mar 24)
- Re: nVidia.com [Url Redirection flaw] Martin Aberastegue (Mar 25)
  - nVidia.com [Url Redirection flaw] Lorenzo Vogelsang (Mar 25)
    - Re: nVidia.com [Url Redirection flaw] Valdis . Kletnieks (Mar 25)
- <Possible follow-ups>
- Re: nVidia.com [Url Redirection flaw] mac . user (Mar 24)
  - Re: nVidia.com [Url Redirection flaw] Rubén Camarero (Mar 24)
    - Re: nVidia.com [Url Redirection flaw] yersinia (Mar 25)
    - Re: nVidia.com [Url Redirection flaw] Rubén Camarero (Mar 25)
    - Re: nVidia.com [Url Redirection flaw] Chris Evans (Mar 25)
    - Re: nVidia.com [Url Redirection flaw] Pete Licoln (Mar 25)
    - Re: nVidia.com [Url Redirection flaw] Nick FitzGerald (Mar 26)
    - Re: nVidia.com [Url Redirection flaw] Nick FitzGerald (Mar 25)
    - Re: nVidia.com [Url Redirection flaw] Rubén Camarero (Mar 25)
  - Re: nVidia.com [Url Redirection flaw] Pete Licoln (Mar 24)
    - Re: nVidia.com [Url Redirection flaw] ascii (Mar 24)
    - Re: nVidia.com [Url Redirection flaw] Eitan Adler (Mar 24)
    - Re: nVidia.com [Url Redirection flaw] Jan G.B. (Mar 25)
  - Re: nVidia.com [Url Redirection flaw] Anders Klixbull (Mar 25)
  - Re: nVidia.com [Url Redirection flaw] Michal (Mar 25)

(Thread continues...)