Actually, a slightly different manifestation of the exact same underlying issue is http://www.webappsec.org/lists/websecurity/archive/2006-08/msg00047.html On Wed, Feb 25, 2009 at 1:10 PM, Joe Orton <joe@manyfish.co.uk> wrote: > On Mon, Feb 23, 2009 at 05:53:15PM -0800, Roy T. Fielding wrote: >> 3) This report blames intercepting proxies for reading and acting >> upon the HTTP stream instead of blaming browsers for sending an >> HTTP message that contradicts its routing via TCP/IP. I would think >> that the fix is to plug the apparent (unconfirmed) security hole in >> the browsers that allows plug-ins to set the value of Host independent >> of the requested URI. What's up with that? > > This is a fun case of "chinese whispers". The problem is purely a > browser/plugin issue, as you say, and was first reported in 2006: > > http://www.securityfocus.com/archive/1/441014 > > and it goes round and round until someone clueless at CERT decides it > must be a security bug in proxies. I believe all the actual security > bugs have been long since fixed, e.g. Flash: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6245 > > Regards, Joe > >Received on Wednesday, 25 February 2009 11:52:57 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:38:35 GMT