Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CVE-2014-4671 #93

Merged
merged 1 commit into from Sep 21, 2014
Merged

Fix CVE-2014-4671 #93

merged 1 commit into from Sep 21, 2014

Conversation

@Fugiman
Copy link

Fugiman commented Jul 10, 2014

CVE-2014-4671 describes a reflection attack using JSONP callbacks to cause a trusted domain to return a malicious SWF that can make requests to the trusted domain with the victims credentials. The attack relies on having control over the first byte of the response, and therefore can be mitigated by prepending valid Javascript to the response.

A more detailed write up of the attack and mitigations can be found at http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/

@fcsonline
Copy link

fcsonline commented Jul 15, 2014

👍

2 similar comments
@saimonmoore
Copy link

saimonmoore commented Jul 15, 2014

👍

@choonkeat
Copy link

choonkeat commented Jul 17, 2014

👍

@ijcd
Copy link

ijcd commented Sep 20, 2014

Bump. This is a security fix. What's the hold up?

manveru added a commit that referenced this pull request Sep 21, 2014
Fix CVE-2014-4671
@manveru manveru merged commit 1b11346 into rack:master Sep 21, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

7 participants
You can’t perform that action at this time.