Full Disclosure mailing list archives
Re: Fwd: nVidia.com [Url Redirection flaw]
From: mac.user () mac hush com
Date: Thu, 26 Mar 2009 12:31:35 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lorenzo, I apologise for any confusion - that question was geared toward Valdis, not you. I never meant to suggest or imply with any level of sarcasm that your actual profession was to independently discover and report URL redirection attacks against random internet bound hosts; simply I was curious how much Valdis was paid to do this. Once again, sorry. On Wed, 25 Mar 2009 17:54:23 -0400 Lorenzo Vogelsang <vogelsang.lorenzo () gmail com> wrote:
I don't know if this bug it's a "serious one" or not, i only posted a "url redirection flaw" and i think that its dangerousness and importance should be inferred from the type of vulnerability and the site which is affected... I am still a beginner in the field of security , i still have much to learn.. Neverthless i think that the open redirect vulnerabilty it's serious, because "This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it." ( http://www.owasp.org/index.php/Open_redirect) , this flaw increase its dangerousness if the site it's trusted and , IMHO, i think tha nVidia ( it is better or worse than ati i don't know ) is trusted and can easily used by an attacker or a phisher to spread malicous software or to take similar actions. Moreover with Xss flaw the open redirect become more serious! (always IMHO) However the admin was alerted, so i've done my job.... Regards Lorenzo Vogelsang ---------- Forwarded message ---------- From: <mac.user () mac hush com> Date: 2009/3/25 Subject: Re: [Full-disclosure] nVidia.com [Url Redirection flaw] To: vogelsang.lorenzo () gmail com, valdis.kletnieks () vt edu Cc: full-disclosure () lists grok org uk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What is this field you brag experience in? Independent Professional Open URL Redirection Vulnerability Reporting? Can you cite any of these statistics you're talking about because to be quite honest we think you're making this up, along with everything else. Linking to some actual statistics will improve your full- disclosure credibility greatly. How did you determine the 50/50 probability or is that just based up on made-up numbers as well? I thought Len Rose removed all the trolls from this list, why are you still here? On Wed, 25 Mar 2009 12:00:27 -0400 Valdis.Kletnieks () vt edu wrote:On Wed, 25 Mar 2009 15:21:42 BST, Lorenzo Vogelsang said:Despite i've told to nvidia only the "url redirection" flaw ithinkthat, if "url redirection" will be solved all the xssinherentlyvulnerabilites will be solved too.Actual experience in the field has shown that in general, if you report a URL redirection issue to the maintainers of a website, a large percentage of the time they will *only* fix the problem with URL redirection,unlessyou make it clear to them *and they understand* that the URL redirection is only one symptom of a larger XSS issue. I'll give it a 50-50 chance that somebody will get to send NVidia an email saying "Good, you fixed the URL problem. Now about that XSS...."-----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAknKZ9UACgkQfuF4tUz/X+KD3AP/YbCrOIuw+C0zZrAHFz4MIC4QPzp c 8RAGpJsO47ZO43C+1O2wBpj1hnNT+28C+ehawqruDEPpm5S+xIFjJ2il0LkFA9tbejU e mV7jJP9ijFQIZs8dLHZZ+pECuhhC+Pkp/OBKMA9fPvKnzl69ifK9lHXy7aHWx1fCAU7 5 LGrZ7CI= =TZMS -----END PGP SIGNATURE----- -- Need cash? Click to get a cash advance. http://tagline.hushmail.com/fc/BLSrjkqa4pHNTA9754nB2aPYcEgGtTq3oMkB To7jBcNmvNvjPfqo6s6nSV6/
-----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAknLrecACgkQfuF4tUz/X+JOJQP/aJOM+HP5fLPREhBf4enQr38USw9a 2sB3oijJOVM4lQ0AHSqHxwIPCLum4MZbTXuG+DNO1uI5MLNLMHQSTXlIkdnz+EupRg66 wWGACpVAdS91GfP8wjN2EnMiuPmg3EE3I0/1TXntlWWhLZsGfFi3UsqfjbBCpn043RnH iERjnYI= =hdIF -----END PGP SIGNATURE----- -- Embrace the now. Click here for your own personalized email account! http://tagline.hushmail.com/fc/BLSrjkqaU3iz16Kssl2FKCZoQU3Ky72TJ8FZE4qzAb8VVspW9yDEiN3fOrG/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: nVidia.com [Url Redirection flaw], (continued)
- Re: nVidia.com [Url Redirection flaw] Rubén Camarero (Mar 24)
- Re: nVidia.com [Url Redirection flaw] mac . user (Mar 24)
- Re: nVidia.com [Url Redirection flaw] mac . user (Mar 25)
- Re: nVidia.com [Url Redirection flaw] Anders Klixbull (Mar 25)
- Re: nVidia.com [Url Redirection flaw] mac . user (Mar 25)
- Re: nVidia.com [Url Redirection flaw] Anders Klixbull (Mar 25)
- Re: nVidia.com [Url Redirection flaw] mac . user (Mar 25)
- Fwd: nVidia.com [Url Redirection flaw] Lorenzo Vogelsang (Mar 25)
- Re: Fwd: nVidia.com [Url Redirection flaw] Jeremy Brown (Mar 25)
- Re: Fwd: nVidia.com [Url Redirection flaw] Pete Licoln (Mar 25)
- Fwd: nVidia.com [Url Redirection flaw] Lorenzo Vogelsang (Mar 25)
- Re: Fwd: nVidia.com [Url Redirection flaw] mac . user (Mar 26)
- Fwd: Fwd: nVidia.com [Url Redirection flaw] Lorenzo Vogelsang (Mar 26)
- Re: Fwd: nVidia.com [Url Redirection flaw] mac . user (Mar 26)
- Re: Fwd: nVidia.com [Url Redirection flaw] Pete Licoln (Mar 26)
- Re: nVidia.com [Url Redirection flaw] mac . user (Mar 26)
- Re: nVidia.com [Url Redirection flaw] Rubén Camarero (Mar 26)
- Re: nVidia.com [Url Redirection flaw] Pete Licoln (Mar 26)
- Re: nVidia.com [Url Redirection flaw] Rubén Camarero (Mar 26)
- Re: nVidia.com [Url Redirection flaw] mac . user (Mar 26)