- From: Amit Klein <aksecurity@gmail.com>
- Date: Wed, 25 Feb 2009 13:52:19 +0200
- To: Joe Orton <joe@manyfish.co.uk>
- Cc: "Roy T. Fielding" <fielding@gbiv.com>, Mark Nottingham <mnot@yahoo-inc.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Actually, a slightly different manifestation of the exact same underlying issue is http://www.webappsec.org/lists/websecurity/archive/2006-08/msg00047.html On Wed, Feb 25, 2009 at 1:10 PM, Joe Orton <joe@manyfish.co.uk> wrote: > On Mon, Feb 23, 2009 at 05:53:15PM -0800, Roy T. Fielding wrote: >> 3) This report blames intercepting proxies for reading and acting >> upon the HTTP stream instead of blaming browsers for sending an >> HTTP message that contradicts its routing via TCP/IP. I would think >> that the fix is to plug the apparent (unconfirmed) security hole in >> the browsers that allows plug-ins to set the value of Host independent >> of the requested URI. What's up with that? > > This is a fun case of "chinese whispers". The problem is purely a > browser/plugin issue, as you say, and was first reported in 2006: > > http://www.securityfocus.com/archive/1/441014 > > and it goes round and round until someone clueless at CERT decides it > must be a security bug in proxies. I believe all the actual security > bugs have been long since fixed, e.g. Flash: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6245 > > Regards, Joe > >
Received on Wednesday, 25 February 2009 11:52:57 UTC