==================================
java.com | Arbitrary URL Redirect
==================================


1. VULNERABILITY DESCRIPTION

-> Arbitrary URL Redirect
   http://java.com/inc/BrowserRedirect1.jsp?locale=en&host=localhost
   
   Demo: http://yehg.net/lab/pr0js/training/view/misc/java.com_Arbitrary_URL_Redirect/
   
   
2. VENDOR

Oracle Inc
http://www.oracle.com


3. VULNERABILITY STATUS

FIXED


4. DISCLOSURE TIME-LINE

2011-04-19: reported the issue to vendor
2011-04-23: vendor replied "Thank you for bringing this issue to our attention. We appreciate your note and wanted to let you know that we have fixed it. Our Global Information Security group may also send you a note on your report."
2011-04-24: disclosed vulnerability 


5. REFERENCES

Original Advisory URL: http://yehg.net/lab/pr0js/advisories/sites/java.com/[java.com]_url_redirection
OWASP-Top-10_2010-A10: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
SANS-TOP-23: http://www.sans.org/top25-software-errors/
CWE-601: http://cwe.mitre.org/data/definitions/601.html

#yehg [2011-04-24]