lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 24 Mar 2009 15:27:09 -0400
From: Rubén Camarero <rjcamarero@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: nVidia.com [Url Redirection flaw]

That example has nothing to do with this particular bug. Using multiple
exclamation or question marks does not help your ineffective argument,
either.

On Tue, Mar 24, 2009 at 3:15 PM, <mac.user@....hush.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> With all due respect, my corned beef and sauerkraut smelling
> friend, I am simply pointing out that when it comes to security
> nvidia is clueless.  Do you not remember the great debacle of 2006
> when Rapid7 showed off remote kernel exploitation of the nvidia
> driver by webbrowser?  http://kerneltrap.org/node/7228 should
> refresh your memory.  40 million lost credit cards but at least
> they put nvidia in their rightful place and have their priorities
> in order.  And speaking of security concerns and nvidia, why do you
> think Microsoft didn't use nvidia in their trusted gaming platform
> xbox360????  Everyone in our industry knows that nvidia is shit for
> security, even their javascript sucks!!!
>
>
> On Tue, 24 Mar 2009 14:45:46 -0400 Rubén Camarero
> <rjcamarero@...il.com> wrote:
> >If ATI and nVidia were web content developers, this may be a valid
> >argument,
> >but they are not. They are graphics vendors, hardware and
> >software. Not to
> >mention the fact that this isn't a "serious" issue. RFI is a
> >serious issue,
> >IMHO.
> >
> >On Tue, Mar 24, 2009 at 1:37 PM, <mac.user@....hush.com> wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> I have been saying for years that ATI is better than nvidia and
> >> here is just one more reason!  You don't see serious issues like
> >> this with ATI's website.
> >>
> >> On Tue, 24 Mar 2009 10:13:21 -0400 Lorenzo Vogelsang
> >> <vogelsang.lorenzo@...il.com> wrote:
> >> >Hi all, i'm new to the list. I'm an italian student who likes
> >> >security
> >> >topics in the I.C.T world..
> >> >
> >> >Browsing the nVdia web sites, i have found a very basic Url
> >> >redirection
> >> >flaw. Infact when downloading a driver i get Urls like this:
> >> >
> >> >
> >>
> >>http://www.nvidia.com/content/DriverDownload/download_confirmation
> >.
> >>
> >>asp?kw=&url=http://us.download.nvidia.com/Windows/179.48/179.48_no
> >t
> >> >ebook_winxp_64bit_beta.exe
> >> >
> >> >and connecting to this another Url
> >> >
> >> >
> >>
> >>http://www.nvidia.com/content/DriverDownload/download_confirmation
> >.
> >> >asp?kw=&url=http://www.google.it
> >> >
> >> >
> >> >will redirects succefully to www.google.it! (or other web site
> >of
> >> >your
> >> >choice , or downloadble content..)
> >> >
> >> >
> >> >Enjoy!
> >> >
> >> >Lorenzo Vogelsang.
> >> -----BEGIN PGP SIGNATURE-----
> >> Charset: UTF8
> >> Version: Hush 3.0
> >> Note: This signature can be verified at
> >https://www.hushtools.com/verify
> >>
> >>
> >wpwEAQMCAAYFAknJGmEACgkQfuF4tUz/X+KtEQP/fg36QI6yY9Hw6Q5eOsLUBGtPjg9
> >/
> >>
> >kxEmlsVdQl23h92FU75bHiOHhDMo7nLMCbHH7HHZDMvEw05OCDBaOqTx54xyTHBayH4
> >s
> >>
> >xf4joU8LSrTOFrklgT7tGXr+AMIfi4ypgIXzRv6Gx0vD3EAKIR3KWL4qFtg/OahHkl7
> >q
> >> jOiz888=
> >> =2MOh
> >> -----END PGP SIGNATURE-----
> >>
> >> --
> >> Can't pay your bills?  Click here to learn about filing for
> >bankruptcy.
> >>
> >>
> >http://tagline.hushmail.com/fc/BLSrjkqhNChbdTZRNxLsL4IFkcZYo7APte6M
> >FdjI1xth2KPqL4lm3VupTlG/
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
> >
> >
> >--
> >Rubén Camarero
> >CCNA, CISSP
> -----BEGIN PGP SIGNATURE-----
> Charset: UTF8
> Version: Hush 3.0
> Note: This signature can be verified at https://www.hushtools.com/verify
>
> wpwEAQMCAAYFAknJMWoACgkQfuF4tUz/X+LbggP9GPddhDh3krXB3ieyORr5Yd2RdE6l
> foRgQOUAaXbnpxc+d2XFByNe8wAYHF+dheNou5cb0XBF99NmW4wt2uoR57/7PmSp6zdM
> 1bsBzocX6Kkpbl38bMf4ZG/OlEz7cqfNOGExPE5cicr2Y462fk/BAWfUWV6B82ieWz4Z
> BbBeab8=
> =ZiqN
> -----END PGP SIGNATURE-----
>
> --
> Click to compare and save on auto insurance.
>
> http://tagline.hushmail.com/fc/BLSrjkqePmfJGmpcWA2Xcaz2NXhk84bAM4HxiigERihBJ2ZwE0pe0OeJOxS/
>
>


-- 
Rubén Camarero
CCNA, CISSP

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ