Oracle JRE - java.net.URLConnection class: - Same-of-Origin (SOP) Policy Bypass Vulnerability

Users of Oracle JRE -java.net.URLConnection class please be advised of a Same-of-Origin (SOP) Policy Bypass vulnerability that has been identified.

To view this vulnerability, possible remedies, and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)

Amplify’d from www.criticalwatch.com

Oracle-SA-10/19/2010: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass

+-----------+ |Description| +-----------+ Security-Assessment.com discovered that a Java Applet making use of java.net.URLConnection class can be used to bypass same-of-origin (SOP) policy and domain based security controls in modern browsers when communication occurs between two domains that resolve to the same IP address. This advisory includes a Proof-of-Concept (PoC) demo and a Java Applet source code, which demonstrates how this security can be exploited to leak cookie information to an unauthorised domain, which resides on the same host IP address. Read more at www.criticalwatch.com

 

See this Amp at http://bit.ly/d1rPs9