| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Mar 2009 15:30:54 -0400 From: mac.user@....hush.com To: full-disclosure@...ts.grok.org.uk, rjcamarero@...il.com Subject: Re: nVidia.com [Url Redirection flaw] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 nvidia has a poor track record with security. I'm citing two examples. One is on their website, and one is in their drivers. Can you cite anything they have done right? Your effective arguing strategies makes you a top nominee for Gadi Evron's no-swearing event at defcon. On Tue, 24 Mar 2009 15:27:09 -0400 Rubén Camarero <rjcamarero@...il.com> wrote: >That example has nothing to do with this particular bug. Using >multiple >exclamation or question marks does not help your ineffective >argument, >either. > >On Tue, Mar 24, 2009 at 3:15 PM, <mac.user@....hush.com> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> With all due respect, my corned beef and sauerkraut smelling >> friend, I am simply pointing out that when it comes to security >> nvidia is clueless. Do you not remember the great debacle of >2006 >> when Rapid7 showed off remote kernel exploitation of the nvidia >> driver by webbrowser? http://kerneltrap.org/node/7228 should >> refresh your memory. 40 million lost credit cards but at least >> they put nvidia in their rightful place and have their >priorities >> in order. And speaking of security concerns and nvidia, why do >you >> think Microsoft didn't use nvidia in their trusted gaming >platform >> xbox360???? Everyone in our industry knows that nvidia is shit >for >> security, even their javascript sucks!!! >> >> >> On Tue, 24 Mar 2009 14:45:46 -0400 Rubén Camarero >> <rjcamarero@...il.com> wrote: >> >If ATI and nVidia were web content developers, this may be a >valid >> >argument, >> >but they are not. They are graphics vendors, hardware and >> >software. Not to >> >mention the fact that this isn't a "serious" issue. RFI is a >> >serious issue, >> >IMHO. >> > >> >On Tue, Mar 24, 2009 at 1:37 PM, <mac.user@....hush.com> wrote: >> > >> >> -----BEGIN PGP SIGNED MESSAGE----- >> >> Hash: SHA1 >> >> >> >> I have been saying for years that ATI is better than nvidia >and >> >> here is just one more reason! You don't see serious issues >like >> >> this with ATI's website. >> >> >> >> On Tue, 24 Mar 2009 10:13:21 -0400 Lorenzo Vogelsang >> >> <vogelsang.lorenzo@...il.com> wrote: >> >> >Hi all, i'm new to the list. I'm an italian student who >likes >> >> >security >> >> >topics in the I.C.T world.. >> >> > >> >> >Browsing the nVdia web sites, i have found a very basic Url >> >> >redirection >> >> >flaw. Infact when downloading a driver i get Urls like this: >> >> > >> >> > >> >> >> >>>http://www.nvidia.com/content/DriverDownload/download_confirmatio >n >> >. >> >> >> >>>asp?kw=&url=http://us.download.nvidia.com/Windows/179.48/179.48_n >o >> >t >> >> >ebook_winxp_64bit_beta.exe >> >> > >> >> >and connecting to this another Url >> >> > >> >> > >> >> >> >>>http://www.nvidia.com/content/DriverDownload/download_confirmatio >n >> >. >> >> >asp?kw=&url=http://www.google.it >> >> > >> >> > >> >> >will redirects succefully to www.google.it! (or other web >site >> >of >> >> >your >> >> >choice , or downloadble content..) >> >> > >> >> > >> >> >Enjoy! >> >> > >> >> >Lorenzo Vogelsang. >> >> -----BEGIN PGP SIGNATURE----- >> >> Charset: UTF8 >> >> Version: Hush 3.0 >> >> Note: This signature can be verified at >> >https://www.hushtools.com/verify >> >> >> >> >> >>wpwEAQMCAAYFAknJGmEACgkQfuF4tUz/X+KtEQP/fg36QI6yY9Hw6Q5eOsLUBGtPjg >9 >> >/ >> >> >> >>kxEmlsVdQl23h92FU75bHiOHhDMo7nLMCbHH7HHZDMvEw05OCDBaOqTx54xyTHBayH >4 >> >s >> >> >> >>xf4joU8LSrTOFrklgT7tGXr+AMIfi4ypgIXzRv6Gx0vD3EAKIR3KWL4qFtg/OahHkl >7 >> >q >> >> jOiz888= >> >> =2MOh >> >> -----END PGP SIGNATURE----- >> >> >> >> -- >> >> Can't pay your bills? Click here to learn about filing for >> >bankruptcy. >> >> >> >> >> >>http://tagline.hushmail.com/fc/BLSrjkqhNChbdTZRNxLsL4IFkcZYo7APte6 >M >> >FdjI1xth2KPqL4lm3VupTlG/ >> >> >> >> _______________________________________________ >> >> Full-Disclosure - We believe in it. >> >> Charter: http://lists.grok.org.uk/full-disclosure- >charter.html >> >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> > >> > >> > >> >-- >> >Rubén Camarero >> >CCNA, CISSP >> -----BEGIN PGP SIGNATURE----- >> Charset: UTF8 >> Version: Hush 3.0 >> Note: This signature can be verified at >https://www.hushtools.com/verify >> >> >wpwEAQMCAAYFAknJMWoACgkQfuF4tUz/X+LbggP9GPddhDh3krXB3ieyORr5Yd2RdE6 >l >> >foRgQOUAaXbnpxc+d2XFByNe8wAYHF+dheNou5cb0XBF99NmW4wt2uoR57/7PmSp6zd >M >> >1bsBzocX6Kkpbl38bMf4ZG/OlEz7cqfNOGExPE5cicr2Y462fk/BAWfUWV6B82ieWz4 >Z >> BbBeab8= >> =ZiqN >> -----END PGP SIGNATURE----- >> >> -- >> Click to compare and save on auto insurance. >> >> >http://tagline.hushmail.com/fc/BLSrjkqePmfJGmpcWA2Xcaz2NXhk84bAM4Hx >iigERihBJ2ZwE0pe0OeJOxS/ >> >> > > >-- >Rubén Camarero >CCNA, CISSP -----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAknJNO4ACgkQfuF4tUz/X+JobQP/fKdv2DPbFGfAh8+N6GsdKO7ct1BP 2h0sXd57nD6bKwOi8CiOZR3/fMjyl72R0xuS0Gtq8PhkX/mMo8GGaHw0h8DdHJ0DIAbj kAY4Pc/oNXtRaO0UoCT0CJA04M9wIgdR0batMc9N0PHhI7Z041w7ycSohm9Q5u6UR9iB R3X0sRc= =ucxK -----END PGP SIGNATURE----- -- Click here to save cash and find low rates on auto loans. http://tagline.hushmail.com/fc/BLSrjkqhD16WH9MlZRubSobTfJnbb93GLCOzNUmf8iWgO7sdRqDO9MrRyJi/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists