Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CVE-2014-4671 #93

Merged
merged 1 commit into from
Sep 21, 2014
Merged

Fix CVE-2014-4671 #93

merged 1 commit into from
Sep 21, 2014

Conversation

FugiTech
Copy link

CVE-2014-4671 describes a reflection attack using JSONP callbacks to cause a trusted domain to return a malicious SWF that can make requests to the trusted domain with the victims credentials. The attack relies on having control over the first byte of the response, and therefore can be mitigated by prepending valid Javascript to the response.

A more detailed write up of the attack and mitigations can be found at http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/

@fcsonline
Copy link

👍

2 similar comments
@saimonmoore
Copy link

👍

@choonkeat
Copy link

👍

@ijcd
Copy link

ijcd commented Sep 20, 2014

Bump. This is a security fix. What's the hold up?

manveru added a commit that referenced this pull request Sep 21, 2014
@manveru manveru merged commit 1b11346 into rack:master Sep 21, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants