|
|
Subscribe / Log in / New account

httpcomponents-client: credentials disclosure

Package(s):httpcomponents-client CVE #(s):CVE-2011-1498
Created:June 15, 2011 Updated:June 16, 2011
Description: According to the 4.1.1 release notes, HttpClient suffers from a vulnerability whereby it can send proxy authorization headers to sites other than the proxy.
Alerts:
Fedora FEDORA-2011-7747 httpcomponents-client 2011-06-02

to post comments

httpcomponents-client: mysterious vulnerability

Posted Jun 16, 2011 6:09 UTC (Thu) by geofft (subscriber, #59789) [Link] (1 responses)

This isn't that mysterious. The release notes say the security issue is 1061, not 1069 (which you quoted), which is:

* [HTTPCLIENT-1061] Fixed critical bug causing Proxy-Authorization header to be sent to the target
host when tunneling requests through a proxy server that requires authentication.
Contributed by Oleg Kalnichevski <olegk at apache.org>

Or, in other words, it seems like HttpClient sends your proxy credentials to the proxy server, and then also sends those credentials to whatever random websites you're visiting through the proxy. A malicious website can grab those credentials and then log in to your proxy and use it.

I agree that the English isn't the world's best (see also "This update fixes several bug." from the Fedora alert), but there's no mystery as to what the actual bug here is.

Fixed

Posted Jun 16, 2011 13:12 UTC (Thu) by corbet (editor, #1) [Link]

You're right, I misread that. I've fixed the entry, thanks.

It's nice to know people actually read these vulnerability entries! :)


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds