BugTraq
Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Oct 19 2010 11:18AM
Roberto Suggi Liverani (roberto suggi security-assessment com) (2 replies)
Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Oct 20 2010 03:58PM
Michal Zalewski (lcamtuf coredump cx) (2 replies)
> Security-Assessment.com follows responsible disclosure
> and promptly contacted Oracle after discovering
> the issue. Oracle was contacted on August 1,
> 2010.

My understanding is that Stefano Di Paola of Minded Security reported
this back in April; and further, the feature was a part of reasonably
well-documented functionality of Java pretty much ever since:

http://download.oracle.com/javase/6/docs/api/java/net/URL.html

"Two hosts are considered equivalent if both host names can be
resolved into the same IP addresses"

This was a pretty horrible design, so it's good to see it gone, though.

/mz

[ reply ]
Re: [Full-disclosure] Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Oct 21 2010 09:22AM
Early Warning (seclist mindedsecurity com)
Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Oct 20 2010 10:09PM
Roberto Suggi Liverani (roberto suggi security-assessment com)
Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Oct 20 2010 03:05PM
Mike Duncan (Mike Duncan noaa gov)


 

Privacy Statement
Copyright 2010, SecurityFocus