httpcomponents-client: mysterious vulnerability
httpcomponents-client: mysterious vulnerability
Posted Jun 16, 2011 6:09 UTC (Thu) by geofft (subscriber, #59789)Parent article: httpcomponents-client: credentials disclosure
* [HTTPCLIENT-1061] Fixed critical bug causing Proxy-Authorization header to be sent to the target
host when tunneling requests through a proxy server that requires authentication.
Contributed by Oleg Kalnichevski <olegk at apache.org>
Or, in other words, it seems like HttpClient sends your proxy credentials to the proxy server, and then also sends those credentials to whatever random websites you're visiting through the proxy. A malicious website can grab those credentials and then log in to your proxy and use it.
I agree that the English isn't the world's best (see also "This update fixes several bug." from the Fedora alert), but there's no mystery as to what the actual bug here is.
Posted Jun 16, 2011 13:12 UTC (Thu)
by corbet (editor, #1)
[Link]
It's nice to know people actually read these vulnerability entries! :)
You're right, I misread that. I've fixed the entry, thanks.
Fixed