-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lorenzo, I apologise for any confusion - that question was geared toward Valdis, not you. I never meant to suggest or imply with any level of sarcasm that your actual profession was to independently discover and report URL redirection attacks against random internet bound hosts; simply I was curious how much Valdis was paid to do this. Once again, sorry.
On Wed, 25 Mar 2009 17:54:23 -0400 Lorenzo Vogelsang <vogelsang.lore...@gmail.com> wrote: >I don't know if this bug it's a "serious one" or not, i only >posted a "url >redirection flaw" and i think that its dangerousness and >importance should >be inferred from the type of vulnerability and the site which is >affected... >I am still a beginner in the field of security , i still have much >to >learn.. Neverthless i think that the open redirect vulnerabilty >it's >serious, because "This vulnerability is used in phishing attacks >to get >users to visit malicious sites without realizing it." ( >http://www.owasp.org/index.php/Open_redirect) , this flaw increase >its >dangerousness if the site it's trusted and , IMHO, i think tha >nVidia ( it >is better or worse than ati i don't know ) is trusted and can >easily used by >an attacker or a phisher to spread malicous software or to take >similar >actions. Moreover with Xss flaw the open redirect become more >serious! >(always IMHO) >However the admin was alerted, so i've done my job.... > >Regards > >Lorenzo Vogelsang > > >---------- Forwarded message ---------- >From: <mac.u...@mac.hush.com> >Date: 2009/3/25 >Subject: Re: [Full-disclosure] nVidia.com [Url Redirection flaw] >To: vogelsang.lore...@gmail.com, valdis.kletni...@vt.edu >Cc: full-disclosure@lists.grok.org.uk > > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >What is this field you brag experience in? Independent >Professional Open URL Redirection Vulnerability Reporting? Can >you >cite any of these statistics you're talking about because to be >quite honest we think you're making this up, along with everything >else. Linking to some actual statistics will improve your full- >disclosure credibility greatly. How did you determine the 50/50 >probability or is that just based up on made-up numbers as well? >I >thought Len Rose removed all the trolls from this list, why are >you >still here? > >On Wed, 25 Mar 2009 12:00:27 -0400 valdis.kletni...@vt.edu wrote: >>On Wed, 25 Mar 2009 15:21:42 BST, Lorenzo Vogelsang said: >>> Despite i've told to nvidia only the "url redirection" flaw i >>think >>> that, if "url redirection" will be solved all the xss >inherently >>> vulnerabilites will be solved too. >> >>Actual experience in the field has shown that in general, if you >>report a URL >>redirection issue to the maintainers of a website, a large >>percentage of the >>time they will *only* fix the problem with URL redirection, >unless >>you make it >>clear to them *and they understand* that the URL redirection is >>only one >>symptom of a larger XSS issue. >> >>I'll give it a 50-50 chance that somebody will get to send NVidia >>an email >>saying "Good, you fixed the URL problem. Now about that XSS...." >-----BEGIN PGP SIGNATURE----- >Charset: UTF8 >Note: This signature can be verified at >https://www.hushtools.com/verify >Version: Hush 3.0 > >wpwEAQMCAAYFAknKZ9UACgkQfuF4tUz/X+KD3AP/YbCrOIuw+C0zZrAHFz4MIC4QPzp >c >8RAGpJsO47ZO43C+1O2wBpj1hnNT+28C+ehawqruDEPpm5S+xIFjJ2il0LkFA9tbejU >e >mV7jJP9ijFQIZs8dLHZZ+pECuhhC+Pkp/OBKMA9fPvKnzl69ifK9lHXy7aHWx1fCAU7 >5 >LGrZ7CI= >=TZMS >-----END PGP SIGNATURE----- > >-- >Need cash? Click to get a cash advance. > >http://tagline.hushmail.com/fc/BLSrjkqa4pHNTA9754nB2aPYcEgGtTq3oMkB >To7jBcNmvNvjPfqo6s6nSV6/ -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAknLrecACgkQfuF4tUz/X+JOJQP/aJOM+HP5fLPREhBf4enQr38USw9a 2sB3oijJOVM4lQ0AHSqHxwIPCLum4MZbTXuG+DNO1uI5MLNLMHQSTXlIkdnz+EupRg66 wWGACpVAdS91GfP8wjN2EnMiuPmg3EE3I0/1TXntlWWhLZsGfFi3UsqfjbBCpn043RnH iERjnYI= =hdIF -----END PGP SIGNATURE----- -- Embrace the now. Click here for your own personalized email account! http://tagline.hushmail.com/fc/BLSrjkqaU3iz16Kssl2FKCZoQU3Ky72TJ8FZE4qzAb8VVspW9yDEiN3fOrG/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/