W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: CERT VU#435052 - intercepting proxy vulnerability

From: Joe Orton <joe@manyfish.co.uk>
Date: Wed, 25 Feb 2009 11:10:40 +0000
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Mark Nottingham <mnot@yahoo-inc.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <20090225111040.GA9497@manyfish.co.uk>
On Mon, Feb 23, 2009 at 05:53:15PM -0800, Roy T. Fielding wrote:
> 3) This report blames intercepting proxies for reading and acting
> upon the HTTP stream instead of blaming browsers for sending an
> HTTP message that contradicts its routing via TCP/IP.  I would think
> that the fix is to plug the apparent (unconfirmed) security hole in
> the browsers that allows plug-ins to set the value of Host independent
> of the requested URI.  What's up with that?

This is a fun case of "chinese whispers".  The problem is purely a 
browser/plugin issue, as you say, and was first reported in 2006:

http://www.securityfocus.com/archive/1/441014

and it goes round and round until someone clueless at CERT decides it 
must be a security bug in proxies.  I believe all the actual security 
bugs have been long since fixed, e.g. Flash:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6245

Regards, Joe
Received on Wednesday, 25 February 2009 11:11:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:01 GMT