the keys to the interwebz!
> CC: [email protected]; [email protected]; > [email protected] > From: [email protected] > Subject: Re: [Full-disclosure] Security-Assessment.com Advisory: Oracle JRE - > java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass > Date: Wed, 20 Oct 2010 10:38:12 -0700 > To: [email protected] > > > > Sent from my iPhone > > On Oct 20, 2010, at 8:58 AM, Michal Zalewski <[email protected]> wrote: > > >> Security-Assessment.com follows responsible disclosure > >> and promptly contacted Oracle after discovering > >> the issue. Oracle was contacted on August 1, > >> 2010. > > > > My understanding is that Stefano Di Paola of Minded Security reported > > this back in April; and further, the feature was a part of reasonably > > well-documented functionality of Java pretty much ever since: > > > > http://download.oracle.com/javase/6/docs/api/java/net/URL.html > > > > "Two hosts are considered equivalent if both host names can be > > resolved into the same IP addresses" > > > > This was a pretty horrible design, so it's good to see it gone, though. > > Eh, you can see where it came from though. Design bugs like this are > absolutely miserable to fix (see how we'll never get rebinding out of the > browser) and letting identical IP's script against eachother lets an awful > lot of legitimate traffic through while blocking almost all attacks. > > I'm not saying it's a preferred design, but let's reserve "horrible" for > things that don't have quite the obvious thought process behind them. > > Is this, in fact, gone now? > > > > > /mz > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
