lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Mar 2009 17:59:22 -0400 From: Jeremy Brown <0xjbrown41@...il.com> To: Lorenzo Vogelsang <vogelsang.lorenzo@...il.com>, full-disclosure@...ts.grok.org.uk Subject: Re: Fwd: nVidia.com [Url Redirection flaw] http://en.wikipedia.org/wiki/URL_redirection XSS is often useful when its relevant... Nice try, keep up the research Lorenzo! On Wed, Mar 25, 2009 at 5:54 PM, Lorenzo Vogelsang <vogelsang.lorenzo@...il.com> wrote: > I don't know if this bug it's a "serious one" or not, i only posted a "url > redirection flaw" and i think that its dangerousness and importance should > be inferred from the type of vulnerability and the site which is affected... > I am still a beginner in the field of security , i still have much to > learn.. Neverthless i think that the open redirect vulnerabilty it's > serious, because "This vulnerability is used in phishing attacks to get > users to visit malicious sites without realizing it." ( > http://www.owasp.org/index.php/Open_redirect) , this flaw increase its > dangerousness if the site it's trusted and , IMHO, i think tha nVidia ( it > is better or worse than ati i don't know ) is trusted and can easily used by > an attacker or a phisher to spread malicous software or to take similar > actions. Moreover with Xss flaw the open redirect become more serious! > (always IMHO) > However the admin was alerted, so i've done my job.... > > Regards > > Lorenzo Vogelsang > > > ---------- Forwarded message ---------- > From: <mac.user@....hush.com> > Date: 2009/3/25 > Subject: Re: [Full-disclosure] nVidia.com [Url Redirection flaw] > To: vogelsang.lorenzo@...il.com, valdis.kletnieks@...edu > Cc: full-disclosure@...ts.grok.org.uk > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > What is this field you brag experience in? Independent > Professional Open URL Redirection Vulnerability Reporting? Can you > cite any of these statistics you're talking about because to be > quite honest we think you're making this up, along with everything > else. Linking to some actual statistics will improve your full- > disclosure credibility greatly. How did you determine the 50/50 > probability or is that just based up on made-up numbers as well? I > thought Len Rose removed all the trolls from this list, why are you > still here? > > On Wed, 25 Mar 2009 12:00:27 -0400 Valdis.Kletnieks@...edu wrote: >>On Wed, 25 Mar 2009 15:21:42 BST, Lorenzo Vogelsang said: >>> Despite i've told to nvidia only the "url redirection" flaw i >>think >>> that, if "url redirection" will be solved all the xss inherently >>> vulnerabilites will be solved too. >> >>Actual experience in the field has shown that in general, if you >>report a URL >>redirection issue to the maintainers of a website, a large >>percentage of the >>time they will *only* fix the problem with URL redirection, unless >>you make it >>clear to them *and they understand* that the URL redirection is >>only one >>symptom of a larger XSS issue. >> >>I'll give it a 50-50 chance that somebody will get to send NVidia >>an email >>saying "Good, you fixed the URL problem. Now about that XSS...." > -----BEGIN PGP SIGNATURE----- > Charset: UTF8 > Note: This signature can be verified at https://www.hushtools.com/verify > Version: Hush 3.0 > > wpwEAQMCAAYFAknKZ9UACgkQfuF4tUz/X+KD3AP/YbCrOIuw+C0zZrAHFz4MIC4QPzpc > 8RAGpJsO47ZO43C+1O2wBpj1hnNT+28C+ehawqruDEPpm5S+xIFjJ2il0LkFA9tbejUe > mV7jJP9ijFQIZs8dLHZZ+pECuhhC+Pkp/OBKMA9fPvKnzl69ifK9lHXy7aHWx1fCAU75 > LGrZ7CI= > =TZMS > -----END PGP SIGNATURE----- > > -- > Need cash? Click to get a cash advance. > http://tagline.hushmail.com/fc/BLSrjkqa4pHNTA9754nB2aPYcEgGtTq3oMkBTo7jBcNmvNvjPfqo6s6nSV6/ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists