Re: CERT VU#435052 - intercepting proxy vulnerability

On Mon, Feb 23, 2009 at 05:53:15PM -0800, Roy T. Fielding wrote:
> 3) This report blames intercepting proxies for reading and acting
> upon the HTTP stream instead of blaming browsers for sending an
> HTTP message that contradicts its routing via TCP/IP.  I would think
> that the fix is to plug the apparent (unconfirmed) security hole in
> the browsers that allows plug-ins to set the value of Host independent
> of the requested URI.  What's up with that?

This is a fun case of "chinese whispers".  The problem is purely a 
browser/plugin issue, as you say, and was first reported in 2006:

and it goes round and round until someone clueless at CERT decides it 
must be a security bug in proxies.  I believe all the actual security 
bugs have been long since fixed, e.g. Flash:

Regards, Joe

Received on Wednesday, 25 February 2009 11:11:23 UTC