- From: Joe Orton <joe@manyfish.co.uk>
- Date: Wed, 25 Feb 2009 11:10:40 +0000
- To: "Roy T. Fielding" <fielding@gbiv.com>
- Cc: Mark Nottingham <mnot@yahoo-inc.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On Mon, Feb 23, 2009 at 05:53:15PM -0800, Roy T. Fielding wrote: > 3) This report blames intercepting proxies for reading and acting > upon the HTTP stream instead of blaming browsers for sending an > HTTP message that contradicts its routing via TCP/IP. I would think > that the fix is to plug the apparent (unconfirmed) security hole in > the browsers that allows plug-ins to set the value of Host independent > of the requested URI. What's up with that? This is a fun case of "chinese whispers". The problem is purely a browser/plugin issue, as you say, and was first reported in 2006: http://www.securityfocus.com/archive/1/441014 and it goes round and round until someone clueless at CERT decides it must be a security bug in proxies. I believe all the actual security bugs have been long since fixed, e.g. Flash: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6245 Regards, Joe
Received on Wednesday, 25 February 2009 11:11:23 UTC