Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass

From: Stefano Di Paola <wisec () wisec it>
Date: Thu, 21 Oct 2010 06:58:57 +0200
Hey all,
I think it's Oracle bad.
I reported to Oracle this issue back on april 20th and probably Oracle
when Roberto reported the same stuff on August just said "Thank you" and
nothing more to Roberto.

Also Oracle seems to do mass credit so everyone can think that anyone
found anything among the 29 advisories :D
http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

Anyway, I'll post the advisory today clarification :)

Cheers 
Stefano


Il giorno mer, 20/10/2010 alle 08.58 -0700, Michal Zalewski ha scritto:

Security-Assessment.com follows responsible disclosure
and promptly contacted Oracle after discovering
the issue. Oracle was contacted on August 1,
2010.


My understanding is that Stefano Di Paola of Minded Security reported
this back in April; and further, the feature was a part of reasonably
well-documented functionality of Java pretty much ever since:

http://download.oracle.com/javase/6/docs/api/java/net/URL.html

"Two hosts are considered equivalent if both host names can be
resolved into the same IP addresses"

This was a pretty horrible design, so it's good to see it gone, though.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: