lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <c83481820903251459k4c3ade33sab29f3d08ff2ea46@mail.gmail.com>
Date: Wed, 25 Mar 2009 17:59:22 -0400
From: Jeremy Brown <0xjbrown41@...il.com>
To: Lorenzo Vogelsang <vogelsang.lorenzo@...il.com>,
	full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: nVidia.com [Url Redirection flaw]

http://en.wikipedia.org/wiki/URL_redirection

XSS is often useful when its relevant...

Nice try, keep up the research Lorenzo!

On Wed, Mar 25, 2009 at 5:54 PM, Lorenzo Vogelsang
<vogelsang.lorenzo@...il.com> wrote:
> I don't know if this bug it's a "serious one" or not, i only posted a "url
> redirection flaw" and i think that its dangerousness and importance should
> be inferred from the type of vulnerability and the site which is affected...
> I am still a beginner in the field of security , i still have much to
> learn.. Neverthless i think that the open redirect vulnerabilty it's
> serious, because "This vulnerability is used in phishing attacks to get
> users to visit malicious sites without realizing it." (
> http://www.owasp.org/index.php/Open_redirect) , this flaw increase its
> dangerousness if the site it's trusted and , IMHO, i think tha nVidia ( it
> is better or worse than ati i don't know ) is trusted and can easily used by
> an attacker or a phisher to spread malicous software or to take similar
> actions. Moreover with Xss flaw the open redirect become more serious!
> (always IMHO)
> However the admin was alerted, so i've done my job....
>
> Regards
>
> Lorenzo Vogelsang
>
>
> ---------- Forwarded message ----------
> From: <mac.user@....hush.com>
> Date: 2009/3/25
> Subject: Re: [Full-disclosure] nVidia.com [Url Redirection flaw]
> To: vogelsang.lorenzo@...il.com, valdis.kletnieks@...edu
> Cc: full-disclosure@...ts.grok.org.uk
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> What is this field you brag experience in?  Independent
> Professional Open URL Redirection Vulnerability Reporting?  Can you
> cite any of these statistics you're talking about because to be
> quite honest we think you're making this up, along with everything
> else.  Linking to some actual statistics will improve your full-
> disclosure credibility greatly.  How did you determine the 50/50
> probability or is that just based up on made-up numbers as well?  I
> thought Len Rose removed all the trolls from this list, why are you
> still here?
>
> On Wed, 25 Mar 2009 12:00:27 -0400 Valdis.Kletnieks@...edu wrote:
>>On Wed, 25 Mar 2009 15:21:42 BST, Lorenzo Vogelsang said:
>>> Despite i've told to nvidia only the "url redirection"  flaw i
>>think
>>> that, if "url redirection" will be solved all the xss inherently
>>> vulnerabilites will be solved too.
>>
>>Actual experience in the field has shown that in general, if you
>>report a URL
>>redirection issue to the maintainers of a website, a large
>>percentage of the
>>time they will *only* fix the problem with URL redirection, unless
>>you make it
>>clear to them *and they understand* that the URL redirection is
>>only one
>>symptom of a larger XSS issue.
>>
>>I'll give it a 50-50 chance that somebody will get to send NVidia
>>an email
>>saying "Good, you fixed the URL problem.  Now about that XSS...."
> -----BEGIN PGP SIGNATURE-----
> Charset: UTF8
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 3.0
>
> wpwEAQMCAAYFAknKZ9UACgkQfuF4tUz/X+KD3AP/YbCrOIuw+C0zZrAHFz4MIC4QPzpc
> 8RAGpJsO47ZO43C+1O2wBpj1hnNT+28C+ehawqruDEPpm5S+xIFjJ2il0LkFA9tbejUe
> mV7jJP9ijFQIZs8dLHZZ+pECuhhC+Pkp/OBKMA9fPvKnzl69ifK9lHXy7aHWx1fCAU75
> LGrZ7CI=
> =TZMS
> -----END PGP SIGNATURE-----
>
> --
> Need cash? Click to get a cash advance.
>  http://tagline.hushmail.com/fc/BLSrjkqa4pHNTA9754nB2aPYcEgGtTq3oMkBTo7jBcNmvNvjPfqo6s6nSV6/
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ