Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Wed, 20 Oct 2010 08:58:29 -0700

Security-Assessment.com follows responsible disclosure
and promptly contacted Oracle after discovering
the issue. Oracle was contacted on August 1,
2010.

My understanding is that Stefano Di Paola of Minded Security reported
this back in April; and further, the feature was a part of reasonably
well-documented functionality of Java pretty much ever since:

http://download.oracle.com/javase/6/docs/api/java/net/URL.html

"Two hosts are considered equivalent if both host names can be
resolved into the same IP addresses"

This was a pretty horrible design, so it's good to see it gone, though.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault