W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: CERT VU#435052 - intercepting proxy vulnerability

From: Amit Klein <aksecurity@gmail.com>
Date: Wed, 25 Feb 2009 13:52:19 +0200
Message-ID: <26162adb0902250352g4598fc39i8e4b2b2c039f1748@mail.gmail.com>
To: Joe Orton <joe@manyfish.co.uk>
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Mark Nottingham <mnot@yahoo-inc.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Actually, a slightly different manifestation of the exact same
underlying issue is

http://www.webappsec.org/lists/websecurity/archive/2006-08/msg00047.html

On Wed, Feb 25, 2009 at 1:10 PM, Joe Orton <joe@manyfish.co.uk> wrote:
> On Mon, Feb 23, 2009 at 05:53:15PM -0800, Roy T. Fielding wrote:
>> 3) This report blames intercepting proxies for reading and acting
>> upon the HTTP stream instead of blaming browsers for sending an
>> HTTP message that contradicts its routing via TCP/IP.  I would think
>> that the fix is to plug the apparent (unconfirmed) security hole in
>> the browsers that allows plug-ins to set the value of Host independent
>> of the requested URI.  What's up with that?
>
> This is a fun case of "chinese whispers".  The problem is purely a
> browser/plugin issue, as you say, and was first reported in 2006:
>
> http://www.securityfocus.com/archive/1/441014
>
> and it goes round and round until someone clueless at CERT decides it
> must be a security bug in proxies.  I believe all the actual security
> bugs have been long since fixed, e.g. Flash:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6245
>
> Regards, Joe
>
>
Received on Wednesday, 25 February 2009 11:52:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:01 GMT