Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
From: Chris Evans <scarybeasts () gmail com>
Date: Wed, 20 Oct 2010 13:18:29 -0700

On Wed, Oct 20, 2010 at 8:58 AM, Michal Zalewski <lcamtuf () coredump cx>wrote:

Security-Assessment.com follows responsible disclosure
and promptly contacted Oracle after discovering
the issue. Oracle was contacted on August 1,
2010.

My understanding is that Stefano Di Paola of Minded Security reported
this back in April; and further, the feature was a part of reasonably
well-documented functionality of Java pretty much ever since:

http://download.oracle.com/javase/6/docs/api/java/net/URL.html


The Host: header trick was also used back in 2008 in Billy Rios' GIFAR
attack -- to get around the fact that Picasa hosts images on a separate
domain:

http://xs-sniper.com/blog/2008/12/17/sun-fixes-gifars/

The blog post title was "SUN Fixes GIFARs", although it's not immediately
obvious to me what was changed or fixed.

If anyone knows what was changed back then and/or in this latest release, it
would be interesting to see it documented.


Cheers
Chris




"Two hosts are considered equivalent if both host names can be
resolved into the same IP addresses"

This was a pretty horrible design, so it's good to see it gone, though.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]