November 4, 2010

Some clarifications

Some discussion originated from my latest disclosure of the Oracle JRE - class – Same-of-Origin (SOP) Policy Bypass bug. The same bug was also found by Stefano Di Paola and reported by Stefano to Oracle and Google on the month of April 2010. Oddly enough, Oracle created a separate bug identifier for my security report and provided a specific fix for the attached Proof-of-Concept. The bug was labeled by Oracle as: 18316569 "LIMIT HTTP REQUEST COOKIE HEADERS IN HTTPURLCONNECTION". Stefano's report appears to be labeled differently, as 17322681 "JAVA APPLET SAME IP HOST ACCESS. However, the underlying root cause of both issues remains the same and it is due to a design principle which is obsolete in a world where shared hosting is an enterprise solution for many small and medium businesses.

Hopefully, following these disclosures, Oracle will do something to align its Java SOP policies to more rigorous standard, such as treating two domains that resolve to the same IP address as two separate entities.

Share - permalink - Comment/Contact me