[Full-disclosure] Fwd: Fwd: nVidia.com [Url Redirection flaw]



Don't worry about this, there's nothing to excuse.. No problem! I understand
that you are talking with Valdis.. :) maybe the olny confusion is with my
english! (i'm italian and my english understanding is not perfect yet) Be
patient.. :)

al the best

Lorenzo Vogelsang


---------- Forwarded message ----------
From: <mac.user@xxxxxxxxxxxx>
Date: 2009/3/26
Subject: Re: [Full-disclosure] Fwd: nVidia.com [Url Redirection flaw]
To: full-disclosure@xxxxxxxxxxxxxxxxx, vogelsang.lorenzo@xxxxxxxxx


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Lorenzo, I apologise for any confusion - that question was geared
toward Valdis, not you. I never meant to suggest or imply with any
level of sarcasm that your actual profession was to independently
discover and report URL redirection attacks against random internet
bound hosts; simply I was curious how much Valdis was paid to do
this. Once again, sorry.

On Wed, 25 Mar 2009 17:54:23 -0400 Lorenzo Vogelsang
<vogelsang.lorenzo@xxxxxxxxx> wrote:
I don't know if this bug it's a "serious one" or not, i only
posted a "url
redirection flaw" and i think that its dangerousness and
importance should
be inferred from the type of vulnerability and the site which is
affected...
I am still a beginner in the field of security , i still have much
to
learn.. Neverthless i think that the open redirect vulnerabilty
it's
serious, because "This vulnerability is used in phishing attacks
to get
users to visit malicious sites without realizing it." (
http://www.owasp.org/index.php/Open_redirect) , this flaw increase
its
dangerousness if the site it's trusted and , IMHO, i think tha
nVidia ( it
is better or worse than ati i don't know ) is trusted and can
easily used by
an attacker or a phisher to spread malicous software or to take
similar
actions. Moreover with Xss flaw the open redirect become more
serious!
(always IMHO)
However the admin was alerted, so i've done my job....

Regards

Lorenzo Vogelsang


---------- Forwarded message ----------
From: <mac.user@xxxxxxxxxxxx>
Date: 2009/3/25
Subject: Re: [Full-disclosure] nVidia.com [Url Redirection flaw]
To: vogelsang.lorenzo@xxxxxxxxx, valdis.kletnieks@xxxxxx
Cc: full-disclosure@xxxxxxxxxxxxxxxxx


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What is this field you brag experience in? Independent
Professional Open URL Redirection Vulnerability Reporting? Can
you
cite any of these statistics you're talking about because to be
quite honest we think you're making this up, along with everything
else. Linking to some actual statistics will improve your full-
disclosure credibility greatly. How did you determine the 50/50
probability or is that just based up on made-up numbers as well?
I
thought Len Rose removed all the trolls from this list, why are
you
still here?

On Wed, 25 Mar 2009 12:00:27 -0400 Valdis.Kletnieks@xxxxxx wrote:
On Wed, 25 Mar 2009 15:21:42 BST, Lorenzo Vogelsang said:
Despite i've told to nvidia only the "url redirection" flaw i
think
that, if "url redirection" will be solved all the xss
inherently
vulnerabilites will be solved too.

Actual experience in the field has shown that in general, if you
report a URL
redirection issue to the maintainers of a website, a large
percentage of the
time they will *only* fix the problem with URL redirection,
unless
you make it
clear to them *and they understand* that the URL redirection is
only one
symptom of a larger XSS issue.

I'll give it a 50-50 chance that somebody will get to send NVidia
an email
saying "Good, you fixed the URL problem. Now about that XSS...."
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at
https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQMCAAYFAknKZ9UACgkQfuF4tUz/X+KD3AP/YbCrOIuw+C0zZrAHFz4MIC4QPzp
c
8RAGpJsO47ZO43C+1O2wBpj1hnNT+28C+ehawqruDEPpm5S+xIFjJ2il0LkFA9tbejU
e
mV7jJP9ijFQIZs8dLHZZ+pECuhhC+Pkp/OBKMA9fPvKnzl69ifK9lHXy7aHWx1fCAU7
5
LGrZ7CI=
=TZMS
-----END PGP SIGNATURE-----

--
Need cash? Click to get a cash advance.

http://tagline.hushmail.com/fc/BLSrjkqa4pHNTA9754nB2aPYcEgGtTq3oMkB
To7jBcNmvNvjPfqo6s6nSV6/
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAknLrecACgkQfuF4tUz/X+JOJQP/aJOM+HP5fLPREhBf4enQr38USw9a
2sB3oijJOVM4lQ0AHSqHxwIPCLum4MZbTXuG+DNO1uI5MLNLMHQSTXlIkdnz+EupRg66
wWGACpVAdS91GfP8wjN2EnMiuPmg3EE3I0/1TXntlWWhLZsGfFi3UsqfjbBCpn043RnH
iERjnYI=
=hdIF
-----END PGP SIGNATURE-----

--
Embrace the now. Click here for your own personalized email account!

http://tagline.hushmail.com/fc/BLSrjkqaU3jifWxdpBqPmfJVEJ4GEKS6vfKbeOTl4lzIPaST1gy4U9ufqdK/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/