lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20090326163258.F05181A003A@smtp.hushmail.com>
Date: Thu, 26 Mar 2009 12:32:58 -0400
From: mac.user@....hush.com
To: full-disclosure@...ts.grok.org.uk, pete.licoln@...il.com
Subject: Re: Fwd: nVidia.com [Url Redirection flaw]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter, there is no reason to insult this aspiring young computer
scientist and his endeavours to fully disclose information security
errata.  Calling him stupid for citing an industry acclaimed source
makes you nothing but arrogant and uneducated.  :)

On Wed, 25 Mar 2009 18:13:53 -0400 Pete Licoln
<pete.licoln@...il.com> wrote:
>2009/3/25 Lorenzo Vogelsang <vogelsang.lorenzo@...il.com>
>
>> Neverthless i think that the open redirect vulnerabilty it's
>serious,
>> because "This vulnerability is used in phishing attacks to get
>users to
>> visit malicious sites without realizing it." (
>> http://www.owasp.org/index.php/Open_redirect)
>
>Well that's actually false, because the person who WANTS to
>hijack/Phish
>someone who TRUST nvdia via this "flaw" need first to control this
>website
>..Or trick a very very dummy person, it's almost the same as if
>you say "
>wow you  can do phishing with the ADDTHIS service " only because
>the "from
>field" can be controlled, without looking at :
>The subject :  Link shared by  **spoofer**
>The message body : " this spoofed_emailer recommands you to see
>this link
>,[Message sent by spoofer@....site via AddThis.com. Please note
>that the
>sender's email address has not been verified.]
>Cant do nothing about  that, if you're enough  silly to believe in
>such
>credibility, an A-V software wont help you too.
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAknLrjoACgkQfuF4tUz/X+Is1gP/b1A/LQzqlN7v5ZaJrwbighrftdr4
urDVAwO1ysbr0aU2HdDnhPqWwsWlt16U1MVX99XmGSpAFgzUshegVIdanhVl5Mv8g0er
6RqP+8SKf/u39G3JzmNoPMxEpRuHb+fieVobjR8e+Kx7wNRXepSiM6UH0esEgFD1+wCE
Q9L4g28=
=EuTW
-----END PGP SIGNATURE-----

--
Click here to explore the best options for affordable internet service!
 http://tagline.hushmail.com/fc/BLSrjkqe0S2VnPNeHqWP5ERMNKhjOcFtyfEK99ikZDua4MB7zNm5kCsjiKk/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ