[Full-disclosure] nVidia.com [Url Redirection flaw]



Yes i've notice that is also vulnerable to Xss.. In fact this link :

http://www.nvidia.com/content/DriverDownload/download_confirmation.asp?kw=&url=%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E

will succefully popup an "xss" alert message. Moreover i've checked
Xssed.com and i saw that a Xss flaw(not url redirection) was already
been found by st@rext ( http://www.xssed.com/mirror/25632/ ) in
17/11/2007. Nevertheless i think that nvidia was not aware of any
vulnerabilities until the day in which I alerted the admin to the url
redirection on nvidia.com (or nvidia is very slow to solve problems,
but i don't wanna do thnik so.. :) ). In fact he answer me that a bug
report was opened and that his team is working to solve the problem.
Despite i've told to nvidia only the "url redirection" flaw i think
that, if "url redirection" will be solved all the xss inherently
vulnerabilites will be solved too.

Regards

Lorenzo Vogelsang.



---------- Forwarded message ----------
From: Martin Aberastegue <xyborg@xxxxxxxxx>
Date: Wed, 25 Mar 2009 10:48:24 -0300
Subject: Re: [Full-disclosure] nVidia.com [Url Redirection flaw]
To: Lorenzo Vogelsang <vogelsang.lorenzo@xxxxxxxxx>
Cc: full-disclosure@xxxxxxxxxxxxxxxxx

Well, we have a XSS too, just put whatever you want on the variable
"url" closing first the meta refresh tag, i.e:

http://www.nvidia.com/content/DriverDownload/download_confirmation.asp?kw=&url=";><iframe
src="http://www.yahoo.com/"; with="100%" height=600></iframe><!--

Since nVidia is a trusted site some people could use it to spread
malware directly from there. This is just a simple redirection issue
and nVidia may have to correct this ASAP, even if they are just
"graphics vendors".

Regards.


---
Martin Aberastegue
http://www.martinaberastegue.com/



On Tue, Mar 24, 2009 at 11:13 AM, Lorenzo Vogelsang
<vogelsang.lorenzo@xxxxxxxxx> wrote:
Hi all, i'm new to the list. I'm an italian student who likes security
topics in the I.C.T world..

Browsing the nVdia web sites, i have found a very basic Url redirection
flaw. Infact when downloading a driver i get Urls like this:


http://www.nvidia.com/content/DriverDownload/download_confirmation.asp?kw=&url=http://us.download.nvidia.com/Windows/179.48/179.48_notebook_winxp_64bit_beta.exe

and connecting to this another Url


http://www.nvidia.com/content/DriverDownload/download_confirmation.asp?kw=&url=http://www.google.it


will redirects succefully to www.google.it! (or other web site of your
choice , or downloadble content..)


Enjoy!

Lorenzo Vogelsang.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: [Full-disclosure] Fwd: nVidia.com [Url Redirection flaw]
    ... On Wed, Mar 25, 2009 at 5:54 PM, Lorenzo Vogelsang ... be inferred from the type of vulnerability and the site which is affected... ... Moreover with Xss flaw the open redirect become more serious! ... Professional Open URL Redirection Vulnerability Reporting? ...
    (Full-Disclosure)
  • Re: [Full-disclosure] nVidia.com [Url Redirection flaw]
    ... There's a difference between an xss and an url redirection .. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)