[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20090326163550.96FE01A0032@smtp.hushmail.com>
Date: Thu, 26 Mar 2009 12:35:50 -0400
From: mac.user@....hush.com
To: full-disclosure@...ts.grok.org.uk, nick@...us-l.demon.co.uk
Subject: Re: nVidia.com [Url Redirection flaw]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear Nick - how did you determine this estimate of 80%+????
On Thu, 26 Mar 2009 04:05:28 -0400 Nick FitzGerald <nick@...us-
l.demon.co.uk> wrote:
>Pete Licoln saw fit to write:
>
>> There's a difference between an xss and an url redirection ..
>> this post was about an url js based redirection, now it's a Xss,
>to me
>> that's a lot of talk ( and i do contribute ) for an no
>persistant xss ,
>> ...
>
>We've seen weirder things used in phish and other scams...
>
>Remember, open redirectors allow remote "brand reputation
>transfer" (aka
>theft) for whatever purpose may suit a third a party. Web app
>devs and
>admins who do not inherently understand that (some 80+% by my
>estimates)
>should not be allowed near any servers on the public Internet.
>(That
>would put Doubleclick, and thereby much of Google, well out of
>business.)
>
>I can imagine ways the "fake codec" folk could _very_ conveniently
>use
>this to boost their install rates. (If I have to spell this out
>to
>anyone here, they're on the wrong list...)
>
>...
>
>Now Valdis -- what odds will you give for nVidia fixing this
>before we
>see it being roundly abused?
>
>
>Regards,
>
>Nick FitzGerald
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify
wpwEAQMCAAYFAknLruYACgkQfuF4tUz/X+JXOwQAj7/I5U01JDGC+wapmYxkc52UfHVW
iVMtY+69jrHG3T4UoKfcKd+tN8bMkhTiUmFl/q4O1zy1niPOf6ocJNscr4fnkWatsgBO
FTRsbJekKj6/Y2WtrgHjgM9pNWtKtQBMyEWT2U9VwW0koHSaQicq6q77Fgq/5Zhj8T/u
PvbdaeA=
=sgw8
-----END PGP SIGNATURE-----
--
Click for online loan, fast & no lender fee, approval today
http://tagline.hushmail.com/fc/BLSrjkqeS9BQ8GJAv4SOtugjeMswkzynVQ5GAVStb2EhAvRiynVO3NU1BqY/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists