|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
From: Michal Zalewski (lcamtuf
coredump.cx)
Date: Wed Oct 20 2010 - 10:58:29 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> Security-Assessment.com follows responsible disclosure
> and promptly contacted Oracle after discovering
> the issue. Oracle was contacted on August 1,
> 2010.
My understanding is that Stefano Di Paola of Minded Security reported
this back in April; and further, the feature was a part of reasonably
well-documented functionality of Java pretty much ever since:
http://download.oracle.com/javase/6/docs/api/java/net/URL.html
"Two hosts are considered equivalent if both host names can be
resolved into the same IP addresses"
This was a pretty horrible design, so it's good to see it gone, though.
/mz
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]