Full Disclosure: Re: nVidia.com [Url Redirection flaw]

[mac.user () mac hush com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

With all due respect, my corned beef and sauerkraut smelling
friend, I am simply pointing out that when it comes to security
nvidia is clueless.  Do you not remember the great debacle of 2006
when Rapid7 showed off remote kernel exploitation of the nvidia
driver by webbrowser?  http://kerneltrap.org/node/7228 should
refresh your memory.  40 million lost credit cards but at least
they put nvidia in their rightful place and have their priorities
in order.  And speaking of security concerns and nvidia, why do you
think Microsoft didn't use nvidia in their trusted gaming platform
xbox360????  Everyone in our industry knows that nvidia is shit for
security, even their javascript sucks!!!


On Tue, 24 Mar 2009 14:45:46 -0400 Rubén Camarero
<rjcamarero () gmail com> wrote:
> If ATI and nVidia were web content developers, this may be a valid
> argument,
> but they are not. They are graphics vendors, hardware and
> software. Not to
> mention the fact that this isn't a "serious" issue. RFI is a
> serious issue,
> IMHO.
>
> On Tue, Mar 24, 2009 at 1:37 PM, <mac.user () mac hush com> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > I have been saying for years that ATI is better than nvidia and
> > here is just one more reason!  You don't see serious issues like
> > this with ATI's website.
> >
> > On Tue, 24 Mar 2009 10:13:21 -0400 Lorenzo Vogelsang
> > <vogelsang.lorenzo () gmail com> wrote:
> > > Hi all, i'm new to the list. I'm an italian student who likes
> > > security
> > > topics in the I.C.T world..
> > >
> > > Browsing the nVdia web sites, i have found a very basic Url
> > > redirection
> > > flaw. Infact when downloading a driver i get Urls like this:
> > http://www.nvidia.com/content/DriverDownload/download_confirmation
> .
> > asp?kw=&url=http://us.download.nvidia.com/Windows/179.48/179.48_no
> t
> > > ebook_winxp_64bit_beta.exe
> > >
> > > and connecting to this another Url
> > http://www.nvidia.com/content/DriverDownload/download_confirmation
> .
> > > asp?kw=&url=http://www.google.it
> > >
> > >
> > > will redirects succefully to www.google.it! (or other web site
> of
> > > your
> > > choice , or downloadble content..)
> > >
> > >
> > > Enjoy!
> > >
> > > Lorenzo Vogelsang.
> > -----BEGIN PGP SIGNATURE-----
> > Charset: UTF8
> > Version: Hush 3.0
> > Note: This signature can be verified at
> https://www.hushtools.com/verify
> >
> wpwEAQMCAAYFAknJGmEACgkQfuF4tUz/X+KtEQP/fg36QI6yY9Hw6Q5eOsLUBGtPjg9
> /
> >
> kxEmlsVdQl23h92FU75bHiOHhDMo7nLMCbHH7HHZDMvEw05OCDBaOqTx54xyTHBayH4
> s
> >
> xf4joU8LSrTOFrklgT7tGXr+AMIfi4ypgIXzRv6Gx0vD3EAKIR3KWL4qFtg/OahHkl7
> q
> > jOiz888=
> > =2MOh
> > -----END PGP SIGNATURE-----
> >
> > --
> > Can't pay your bills?  Click here to learn about filing for
> bankruptcy.
> >
> http://tagline.hushmail.com/fc/BLSrjkqhNChbdTZRNxLsL4IFkcZYo7APte6M
> FdjI1xth2KPqL4lm3VupTlG/
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> --
> Rubén Camarero
> CCNA, CISSP
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAknJMWoACgkQfuF4tUz/X+LbggP9GPddhDh3krXB3ieyORr5Yd2RdE6l
foRgQOUAaXbnpxc+d2XFByNe8wAYHF+dheNou5cb0XBF99NmW4wt2uoR57/7PmSp6zdM
1bsBzocX6Kkpbl38bMf4ZG/OlEz7cqfNOGExPE5cicr2Y462fk/BAWfUWV6B82ieWz4Z
BbBeab8=
=ZiqN
-----END PGP SIGNATURE-----

--
Update your home with quality hardwood flooring.
 http://tagline.hushmail.com/fc/BLSrjkqfXT3LQNSb54iA9jIV68kzbnU92oNIHkNBIrKzWapj3uN54nUpfYc/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/