Bugtraq mailing list archives
Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Wed, 20 Oct 2010 08:58:29 -0700
Security-Assessment.com follows responsible disclosure and promptly contacted Oracle after discovering the issue. Oracle was contacted on August 1, 2010.
My understanding is that Stefano Di Paola of Minded Security reported this back in April; and further, the feature was a part of reasonably well-documented functionality of Java pretty much ever since: http://download.oracle.com/javase/6/docs/api/java/net/URL.html "Two hosts are considered equivalent if both host names can be resolved into the same IP addresses" This was a pretty horrible design, so it's good to see it gone, though. /mz
Current thread:
- Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Roberto Suggi Liverani (Oct 19)
- Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Mike Duncan (Oct 20)
- Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Michal Zalewski (Oct 20)
- Re: [Full-disclosure] Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Dan Kaminsky (Oct 20)
- Re: [Full-disclosure] Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Early Warning (Oct 21)
- Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Roberto Suggi Liverani (Oct 21)
- <Possible follow-ups>
- Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Mike Duncan (Oct 21)