“From the ‘Flaws Without Fixes files”
US-CERT is now warning against a potentially dangerous flaw in the SSL-VPN implementations from over two dozen vendors including industry giant Cisco.
“Clientless SSL VPN products from multiple vendors operate in a way that breaks fundamental browser security mechanisms,” US-CERT warns. “An attacker could use these devices to bypass authentication or conduct other Web-based attacks.”
Sounds scary, doesn’t it? But I’m not so sure we all need to run for the hills and abandon SSL-VPNs (yet).
At issue is the same origin policy that all modern Web browsers use. Same origin is basically an attempt to limit the resources that can access data from a particular site. That is, you generally don’t want one site having access to the other sites you have open.