================================== java.com | Arbitrary URL Redirect ================================== 1. VULNERABILITY DESCRIPTION -> Arbitrary URL Redirect http://java.com/inc/BrowserRedirect1.jsp?locale=en&host=localhost Demo: http://yehg.net/lab/pr0js/training/view/misc/java.com_Arbitrary_URL_Redirect/ 2. VENDOR Oracle Inc http://www.oracle.com 3. VULNERABILITY STATUS FIXED 4. DISCLOSURE TIME-LINE 2011-04-19: reported the issue to vendor 2011-04-23: vendor replied "Thank you for bringing this issue to our attention. We appreciate your note and wanted to let you know that we have fixed it. Our Global Information Security group may also send you a note on your report." 2011-04-24: disclosed vulnerability 5. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/sites/java.com/[java.com]_url_redirection OWASP-Top-10_2010-A10: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project SANS-TOP-23: http://www.sans.org/top25-software-errors/ CWE-601: http://cwe.mitre.org/data/definitions/601.html #yehg [2011-04-24]