[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <545c35ac0903261044s3a1354b8sb3b1adc3f72e6958@mail.gmail.com>
Date: Thu, 26 Mar 2009 18:44:57 +0100
From: Lorenzo Vogelsang <vogelsang.lorenzo@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Fwd: Fwd: nVidia.com [Url Redirection flaw]
Don't worry about this, there's nothing to excuse.. No problem! I understand
that you are talking with Valdis.. :) maybe the olny confusion is with my
english! (i'm italian and my english understanding is not perfect yet) Be
patient.. :)
al the best
Lorenzo Vogelsang
---------- Forwarded message ----------
From: <mac.user@....hush.com>
Date: 2009/3/26
Subject: Re: [Full-disclosure] Fwd: nVidia.com [Url Redirection flaw]
To: full-disclosure@...ts.grok.org.uk, vogelsang.lorenzo@...il.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lorenzo, I apologise for any confusion - that question was geared
toward Valdis, not you. I never meant to suggest or imply with any
level of sarcasm that your actual profession was to independently
discover and report URL redirection attacks against random internet
bound hosts; simply I was curious how much Valdis was paid to do
this. Once again, sorry.
On Wed, 25 Mar 2009 17:54:23 -0400 Lorenzo Vogelsang
<vogelsang.lorenzo@...il.com> wrote:
>I don't know if this bug it's a "serious one" or not, i only
>posted a "url
>redirection flaw" and i think that its dangerousness and
>importance should
>be inferred from the type of vulnerability and the site which is
>affected...
>I am still a beginner in the field of security , i still have much
>to
>learn.. Neverthless i think that the open redirect vulnerabilty
>it's
>serious, because "This vulnerability is used in phishing attacks
>to get
>users to visit malicious sites without realizing it." (
>http://www.owasp.org/index.php/Open_redirect) , this flaw increase
>its
>dangerousness if the site it's trusted and , IMHO, i think tha
>nVidia ( it
>is better or worse than ati i don't know ) is trusted and can
>easily used by
>an attacker or a phisher to spread malicous software or to take
>similar
>actions. Moreover with Xss flaw the open redirect become more
>serious!
>(always IMHO)
>However the admin was alerted, so i've done my job....
>
>Regards
>
>Lorenzo Vogelsang
>
>
>---------- Forwarded message ----------
>From: <mac.user@....hush.com>
>Date: 2009/3/25
>Subject: Re: [Full-disclosure] nVidia.com [Url Redirection flaw]
>To: vogelsang.lorenzo@...il.com, valdis.kletnieks@...edu
>Cc: full-disclosure@...ts.grok.org.uk
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>What is this field you brag experience in? Independent
>Professional Open URL Redirection Vulnerability Reporting? Can
>you
>cite any of these statistics you're talking about because to be
>quite honest we think you're making this up, along with everything
>else. Linking to some actual statistics will improve your full-
>disclosure credibility greatly. How did you determine the 50/50
>probability or is that just based up on made-up numbers as well?
>I
>thought Len Rose removed all the trolls from this list, why are
>you
>still here?
>
>On Wed, 25 Mar 2009 12:00:27 -0400 Valdis.Kletnieks@...edu wrote:
>>On Wed, 25 Mar 2009 15:21:42 BST, Lorenzo Vogelsang said:
>>> Despite i've told to nvidia only the "url redirection" flaw i
>>think
>>> that, if "url redirection" will be solved all the xss
>inherently
>>> vulnerabilites will be solved too.
>>
>>Actual experience in the field has shown that in general, if you
>>report a URL
>>redirection issue to the maintainers of a website, a large
>>percentage of the
>>time they will *only* fix the problem with URL redirection,
>unless
>>you make it
>>clear to them *and they understand* that the URL redirection is
>>only one
>>symptom of a larger XSS issue.
>>
>>I'll give it a 50-50 chance that somebody will get to send NVidia
>>an email
>>saying "Good, you fixed the URL problem. Now about that XSS...."
>-----BEGIN PGP SIGNATURE-----
>Charset: UTF8
>Note: This signature can be verified at
>https://www.hushtools.com/verify
>Version: Hush 3.0
>
>wpwEAQMCAAYFAknKZ9UACgkQfuF4tUz/X+KD3AP/YbCrOIuw+C0zZrAHFz4MIC4QPzp
>c
>8RAGpJsO47ZO43C+1O2wBpj1hnNT+28C+ehawqruDEPpm5S+xIFjJ2il0LkFA9tbejU
>e
>mV7jJP9ijFQIZs8dLHZZ+pECuhhC+Pkp/OBKMA9fPvKnzl69ifK9lHXy7aHWx1fCAU7
>5
>LGrZ7CI=
>=TZMS
>-----END PGP SIGNATURE-----
>
>--
>Need cash? Click to get a cash advance.
>
>http://tagline.hushmail.com/fc/BLSrjkqa4pHNTA9754nB2aPYcEgGtTq3oMkB
>To7jBcNmvNvjPfqo6s6nSV6/
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify
wpwEAQMCAAYFAknLrecACgkQfuF4tUz/X+JOJQP/aJOM+HP5fLPREhBf4enQr38USw9a
2sB3oijJOVM4lQ0AHSqHxwIPCLum4MZbTXuG+DNO1uI5MLNLMHQSTXlIkdnz+EupRg66
wWGACpVAdS91GfP8wjN2EnMiuPmg3EE3I0/1TXntlWWhLZsGfFi3UsqfjbBCpn043RnH
iERjnYI=
=hdIF
-----END PGP SIGNATURE-----
--
Embrace the now. Click here for your own personalized email account!
http://tagline.hushmail.com/fc/BLSrjkqaU3jifWxdpBqPmfJVEJ4GEKS6vfKbeOTl4lzIPaST1gy4U9ufqdK/
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists