Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass

From: Chris Evans <scarybeasts () gmail com>
Date: Wed, 20 Oct 2010 13:18:29 -0700
On Wed, Oct 20, 2010 at 8:58 AM, Michal Zalewski <lcamtuf () coredump cx>wrote:


Security-Assessment.com follows responsible disclosure
and promptly contacted Oracle after discovering
the issue. Oracle was contacted on August 1,
2010.


My understanding is that Stefano Di Paola of Minded Security reported
this back in April; and further, the feature was a part of reasonably
well-documented functionality of Java pretty much ever since:

http://download.oracle.com/javase/6/docs/api/java/net/URL.html



The Host: header trick was also used back in 2008 in Billy Rios' GIFAR
attack -- to get around the fact that Picasa hosts images on a separate
domain:

http://xs-sniper.com/blog/2008/12/17/sun-fixes-gifars/

The blog post title was "SUN Fixes GIFARs", although it's not immediately
obvious to me what was changed or fixed.

If anyone knows what was changed back then and/or in this latest release, it
would be interesting to see it documented.


Cheers
Chris





"Two hosts are considered equivalent if both host names can be
resolved into the same IP addresses"

This was a pretty horrible design, so it's good to see it gone, though.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: