Re: [Full-disclosure] nVidia.com [Url Redirection flaw]



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Are you even aware that you've been arguing with me? Perhaps we
should move this discussion off-list, so we don't annoy the rest of
the bugtrackers...

On Tue, 24 Mar 2009 15:34:32 -0400 Rubén Camarero
<rjcamarero@xxxxxxxxx> wrote:
I am only stating that the bug posted here isn't serious. I agree
with you
on the other issues, more or less anyways.

On Tue, Mar 24, 2009 at 3:30 PM, <mac.user@xxxxxxxxxxxx> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

nvidia has a poor track record with security. I'm citing two
examples. One is on their website, and one is in their drivers.
Can you cite anything they have done right? Your effective
arguing
strategies makes you a top nominee for Gadi Evron's no-swearing
event at defcon.

On Tue, 24 Mar 2009 15:27:09 -0400 Rubén Camarero
<rjcamarero@xxxxxxxxx> wrote:
That example has nothing to do with this particular bug. Using
multiple
exclamation or question marks does not help your ineffective
argument,
either.

On Tue, Mar 24, 2009 at 3:15 PM, <mac.user@xxxxxxxxxxxx> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

With all due respect, my corned beef and sauerkraut smelling
friend, I am simply pointing out that when it comes to
security
nvidia is clueless. Do you not remember the great debacle of
2006
when Rapid7 showed off remote kernel exploitation of the
nvidia
driver by webbrowser? http://kerneltrap.org/node/7228 should
refresh your memory. 40 million lost credit cards but at
least
they put nvidia in their rightful place and have their
priorities
in order. And speaking of security concerns and nvidia, why
do
you
think Microsoft didn't use nvidia in their trusted gaming
platform
xbox360???? Everyone in our industry knows that nvidia is
shit
for
security, even their javascript sucks!!!


On Tue, 24 Mar 2009 14:45:46 -0400 Rubén Camarero
<rjcamarero@xxxxxxxxx> wrote:
If ATI and nVidia were web content developers, this may be a
valid
argument,
but they are not. They are graphics vendors, hardware and
software. Not to
mention the fact that this isn't a "serious" issue. RFI is a
serious issue,
IMHO.

On Tue, Mar 24, 2009 at 1:37 PM, <mac.user@xxxxxxxxxxxx>
wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have been saying for years that ATI is better than
nvidia
and
here is just one more reason! You don't see serious
issues
like
this with ATI's website.

On Tue, 24 Mar 2009 10:13:21 -0400 Lorenzo Vogelsang
<vogelsang.lorenzo@xxxxxxxxx> wrote:
Hi all, i'm new to the list. I'm an italian student who
likes
security
topics in the I.C.T world..

Browsing the nVdia web sites, i have found a very basic
Url
redirection
flaw. Infact when downloading a driver i get Urls like
this:





http://www.nvidia.com/content/DriverDownload/download_confirmati
o
n
.



asp?kw=&url=http://us.download.nvidia.com/Windows/179.48/179.48_
n
o
t
ebook_winxp_64bit_beta.exe

and connecting to this another Url





http://www.nvidia.com/content/DriverDownload/download_confirmati
o
n
.
asp?kw=&url=http://www.google.it


will redirects succefully to www.google.it! (or other web
site
of
your
choice , or downloadble content..)


Enjoy!

Lorenzo Vogelsang.
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at
https://www.hushtools.com/verify




wpwEAQMCAAYFAknJGmEACgkQfuF4tUz/X+KtEQP/fg36QI6yY9Hw6Q5eOsLUBGtPj
g
9
/



kxEmlsVdQl23h92FU75bHiOHhDMo7nLMCbHH7HHZDMvEw05OCDBaOqTx54xyTHBay
H
4
s



xf4joU8LSrTOFrklgT7tGXr+AMIfi4ypgIXzRv6Gx0vD3EAKIR3KWL4qFtg/OahHk
l
7
q
jOiz888=
=2MOh
-----END PGP SIGNATURE-----

--
Can't pay your bills? Click here to learn about filing
for
bankruptcy.




http://tagline.hushmail.com/fc/BLSrjkqhNChbdTZRNxLsL4IFkcZYo7APte
6
M
FdjI1xth2KPqL4lm3VupTlG/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-
charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
Rubén Camarero
CCNA, CISSP
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at
https://www.hushtools.com/verify



wpwEAQMCAAYFAknJMWoACgkQfuF4tUz/X+LbggP9GPddhDh3krXB3ieyORr5Yd2RdE
6
l


foRgQOUAaXbnpxc+d2XFByNe8wAYHF+dheNou5cb0XBF99NmW4wt2uoR57/7PmSp6z
d
M


1bsBzocX6Kkpbl38bMf4ZG/OlEz7cqfNOGExPE5cicr2Y462fk/BAWfUWV6B82ieWz
4
Z
BbBeab8=
=ZiqN
-----END PGP SIGNATURE-----

--
Click to compare and save on auto insurance.



http://tagline.hushmail.com/fc/BLSrjkqePmfJGmpcWA2Xcaz2NXhk84bAM4H
x
iigERihBJ2ZwE0pe0OeJOxS/




--
Rubén Camarero
CCNA, CISSP
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at
https://www.hushtools.com/verify
Version: Hush 3.0


wpwEAQMCAAYFAknJNO4ACgkQfuF4tUz/X+JobQP/fKdv2DPbFGfAh8+N6GsdKO7ct1B
P

2h0sXd57nD6bKwOi8CiOZR3/fMjyl72R0xuS0Gtq8PhkX/mMo8GGaHw0h8DdHJ0DIAb
j

kAY4Pc/oNXtRaO0UoCT0CJA04M9wIgdR0batMc9N0PHhI7Z041w7ycSohm9Q5u6UR9i
B
R3X0sRc=
=ucxK
-----END PGP SIGNATURE-----

--
Click here for free information on how to reduce your debt by
filing for
bankruptcy.


http://tagline.hushmail.com/fc/BLSrjkqhNCha09Yyoll97un6Gs8mL19gd7D3
JKfsHHWsIQfxfuSbfcMocNq/




--
Rubén Camarero
CCNA, CISSP
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAknJNwcACgkQfuF4tUz/X+IVsQP9HDa6vSSub9nXDYpiBgz1grUqoYbD
nVd0ee3CSbBzArov2PK6abL0aNgR4SfDj//dlq+AzUZJz02yCR61+ysv8U7uSUrRmdjD
rXjQl21C5vWMAe9FErKxEJFqit5bNhT6NBC0aHftxDnhOiK5VxmrvwiJd9s2VMXp0ob4
xSpn07c=
=4By0
-----END PGP SIGNATURE-----

--
Always a good call. Click now to establish your local phone service!
http://tagline.hushmail.com/fc/BLSrjkqdEiol285IZBaWZwNaaLYjM2ZwrmuXbeUGsMm8hJItZk3LssTfv6A/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages