On Mon, Feb 23, 2009 at 05:53:15PM -0800, Roy T. Fielding wrote: > 3) This report blames intercepting proxies for reading and acting > upon the HTTP stream instead of blaming browsers for sending an > HTTP message that contradicts its routing via TCP/IP. I would think > that the fix is to plug the apparent (unconfirmed) security hole in > the browsers that allows plug-ins to set the value of Host independent > of the requested URI. What's up with that? This is a fun case of "chinese whispers". The problem is purely a browser/plugin issue, as you say, and was first reported in 2006: http://www.securityfocus.com/archive/1/441014 and it goes round and round until someone clueless at CERT decides it must be a security bug in proxies. I believe all the actual security bugs have been long since fixed, e.g. Flash: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6245 Regards, JoeReceived on Wednesday, 25 February 2009 11:11:23 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:38:35 GMT