Fix CVE-2014-4671 #93

Merged
merged 1 commit into from Sep 21, 2014

Conversation

Projects
None yet
7 participants
@Fugiman

Fugiman commented Jul 10, 2014

CVE-2014-4671 describes a reflection attack using JSONP callbacks to cause a trusted domain to return a malicious SWF that can make requests to the trusted domain with the victims credentials. The attack relies on having control over the first byte of the response, and therefore can be mitigated by prepending valid Javascript to the response.

A more detailed write up of the attack and mitigations can be found at http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/

@fcsonline

This comment has been minimized.

Show comment
Hide comment

👍

@saimonmoore

This comment has been minimized.

Show comment
Hide comment

👍

@choonkeat

This comment has been minimized.

Show comment
Hide comment

👍

@ijcd

This comment has been minimized.

Show comment
Hide comment
@ijcd

ijcd Sep 20, 2014

Bump. This is a security fix. What's the hold up?

ijcd commented Sep 20, 2014

Bump. This is a security fix. What's the hold up?

manveru added a commit that referenced this pull request Sep 21, 2014

@manveru manveru merged commit 1b11346 into rack:master Sep 21, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment