[Full-disclosure] Fwd: nVidia.com [Url Redirection flaw]
mac.user at mac.hush.com
mac.user at mac.hush.com
Thu Mar 26 16:31:35 GMT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Lorenzo, I apologise for any confusion - that question was geared
toward Valdis, not you. I never meant to suggest or imply with any
level of sarcasm that your actual profession was to independently
discover and report URL redirection attacks against random internet
bound hosts; simply I was curious how much Valdis was paid to do
this. Once again, sorry.
On Wed, 25 Mar 2009 17:54:23 -0400 Lorenzo Vogelsang
<vogelsang.lorenzo at gmail.com> wrote:
>I don't know if this bug it's a "serious one" or not, i only
>posted a "url
>redirection flaw" and i think that its dangerousness and
>be inferred from the type of vulnerability and the site which is
>I am still a beginner in the field of security , i still have much
>learn.. Neverthless i think that the open redirect vulnerabilty
>serious, because "This vulnerability is used in phishing attacks
>users to visit malicious sites without realizing it." (
>http://www.owasp.org/index.php/Open_redirect) , this flaw increase
>dangerousness if the site it's trusted and , IMHO, i think tha
>nVidia ( it
>is better or worse than ati i don't know ) is trusted and can
>easily used by
>an attacker or a phisher to spread malicous software or to take
>actions. Moreover with Xss flaw the open redirect become more
>However the admin was alerted, so i've done my job....
>---------- Forwarded message ----------
>From: <mac.user at mac.hush.com>
>Subject: Re: [Full-disclosure] nVidia.com [Url Redirection flaw]
>To: vogelsang.lorenzo at gmail.com, valdis.kletnieks at vt.edu
>Cc: full-disclosure at lists.grok.org.uk
>-----BEGIN PGP SIGNED MESSAGE-----
>What is this field you brag experience in? Independent
>Professional Open URL Redirection Vulnerability Reporting? Can
>cite any of these statistics you're talking about because to be
>quite honest we think you're making this up, along with everything
>else. Linking to some actual statistics will improve your full-
>disclosure credibility greatly. How did you determine the 50/50
>probability or is that just based up on made-up numbers as well?
>thought Len Rose removed all the trolls from this list, why are
>On Wed, 25 Mar 2009 12:00:27 -0400 Valdis.Kletnieks at vt.edu wrote:
>>On Wed, 25 Mar 2009 15:21:42 BST, Lorenzo Vogelsang said:
>>> Despite i've told to nvidia only the "url redirection" flaw i
>>> that, if "url redirection" will be solved all the xss
>>> vulnerabilites will be solved too.
>>Actual experience in the field has shown that in general, if you
>>report a URL
>>redirection issue to the maintainers of a website, a large
>>percentage of the
>>time they will *only* fix the problem with URL redirection,
>>you make it
>>clear to them *and they understand* that the URL redirection is
>>symptom of a larger XSS issue.
>>I'll give it a 50-50 chance that somebody will get to send NVidia
>>saying "Good, you fixed the URL problem. Now about that XSS...."
>-----BEGIN PGP SIGNATURE-----
>Note: This signature can be verified at
>Version: Hush 3.0
>-----END PGP SIGNATURE-----
>Need cash? Click to get a cash advance.
-----BEGIN PGP SIGNATURE-----
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify
-----END PGP SIGNATURE-----
Embrace the now. Click here for your own personalized email account!
Full-Disclosure is hosted and sponsored by Secunia.