[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass

To: <dan@xxxxxxxxxxx>, <lcamtuf@xxxxxxxxxxx>
Subject: Re: [Full-disclosure] Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
From: Matthew Bergin <matt.bergin@xxxxxxxxxxx>
Date: Wed, 20 Oct 2010 13:49:03 -0700

the keys to the interwebz!


> CC: roberto.suggi@xxxxxxxxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx; 
> bugtraq@xxxxxxxxxxxxxxxxx
> From: dan@xxxxxxxxxxx
> Subject: Re: [Full-disclosure] Security-Assessment.com Advisory: Oracle JRE - 
> java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
> Date: Wed, 20 Oct 2010 10:38:12 -0700
> To: lcamtuf@xxxxxxxxxxx
> 
> 
> 
> Sent from my iPhone
> 
> On Oct 20, 2010, at 8:58 AM, Michal Zalewski <lcamtuf@xxxxxxxxxxx> wrote:
> 
> >> Security-Assessment.com follows responsible disclosure
> >> and promptly contacted Oracle after discovering
> >> the issue. Oracle was contacted on August 1,
> >> 2010.
> > 
> > My understanding is that Stefano Di Paola of Minded Security reported
> > this back in April; and further, the feature was a part of reasonably
> > well-documented functionality of Java pretty much ever since:
> > 
> > http://download.oracle.com/javase/6/docs/api/java/net/URL.html
> > 
> > "Two hosts are considered equivalent if both host names can be
> > resolved into the same IP addresses"
> > 
> > This was a pretty horrible design, so it's good to see it gone, though.
> 
> Eh, you can see where it came from though. Design bugs like this are 
> absolutely miserable to fix (see how we'll never get rebinding out of the 
> browser) and letting identical IP's script against eachother lets an awful 
> lot of legitimate traffic through while blocking almost all attacks.
> 
> I'm not saying it's a preferred design, but let's reserve "horrible" for 
> things that don't have quite the obvious thought process behind them.
> 
> Is this, in fact, gone now?
> 
> > 
> > /mz
> > 
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
  - From: Michal Zalewski
- Re: [Full-disclosure] Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
  - From: Dan Kaminsky

Prev by Date: Re: [Full-disclosure] Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
Next by Date: [Full-disclosure] [SecurityArchitect-009]: Microsoft Windows Mobile Double Free Vulnerability
Previous by thread: Re: [Full-disclosure] Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
Next by thread: Re: [Full-disclosure] Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
Index(es):
- Date
- Thread