On Wed, Oct 20, 2010 at 2:29 PM, Billy Rios <[email protected]> wrote:
> In the patch for CVE-2008-5343 (GIFAR) Sun tightened their file parsing > rules for remote JAR files, making it harder to smuggle JAR files onto the > end of other filetypes. This makes it more difficult to create a GIF+JAR > hybrid file. AFAIK, local JAR files were considered out of scope and will > not be subject to the additional file parsing scrutiny. Do you have a link to details on how the new parsing heuristic works, and how "remote" is determined? > Sun/Oracle has not removed the ability to modify arbitrary HOST headers. > Isn't that what they fixed in response to Roberto's latest report? Roberto, any idea what was changed? Cheers Chris > So, if an attacker can upload a JAR file to a web app, they will have the > ability to jump to any domain (virtual hosted or subdomain) that exists on > the server. The cookies sent by the applet will be from the domain provided > in the URL object, however the content returned by the server will be from > the domain specified in the HOST header. This can cause havoc for places > where separation relies on subdomains (like wordpress.com et al.) where > users have by-design control of content on one subdomain and uses that > content to target users on a different subdomain. > > Java also doesn't respect file extension, content-type, or > content-disposition returned by the web server making it a bit easier to > upload JAR files to unsuspecting web apps. > > > BK > > > On Wed, Oct 20, 2010 at 1:18 PM, Chris Evans <[email protected]>wrote: > >> On Wed, Oct 20, 2010 at 8:58 AM, Michal Zalewski <[email protected]>wrote: >> >>> > Security-Assessment.com follows responsible disclosure >>> > and promptly contacted Oracle after discovering >>> > the issue. Oracle was contacted on August 1, >>> > 2010. >>> >>> My understanding is that Stefano Di Paola of Minded Security reported >>> this back in April; and further, the feature was a part of reasonably >>> well-documented functionality of Java pretty much ever since: >>> >>> http://download.oracle.com/javase/6/docs/api/java/net/URL.html >> >> >> The Host: header trick was also used back in 2008 in Billy Rios' GIFAR >> attack -- to get around the fact that Picasa hosts images on a separate >> domain: >> >> http://xs-sniper.com/blog/2008/12/17/sun-fixes-gifars/ >> >> The blog post title was "SUN Fixes GIFARs", although it's not immediately >> obvious to me what was changed or fixed. >> >> If anyone knows what was changed back then and/or in this latest release, >> it would be interesting to see it documented. >> >> >> Cheers >> Chris >> >> >>> >>> >>> "Two hosts are considered equivalent if both host names can be >>> resolved into the same IP addresses" >>> >>> This was a pretty horrible design, so it's good to see it gone, though. >>> >>> /mz >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
