Apache HttpComponents HttpClient: obtaining proxy password
Synthesis of the vulnerability
When HttpClient connects to a proxy requiring an authentication, the login and password are sent to the remote server.Impacted products:
Apache HttpClient, Fedora.
BID-46974, CVE-2011-1498, FEDORA-2011-7747, VIGILANCE-VUL-10465, VU#153049.
Description of the vulnerability
The Apache HttpComponents HttpClient product implements the HTTP protocol.
An HTTP authentication uses:
- the Authorization header to authenticate on a remote server
- the Proxy-Authorization header to authenticate on the intermediate proxy
When SSL (https) is used, the Proxy-Authorization header is used to require the proxy to open a session to the remote server. However, HttpClient also adds the Proxy-Authorization header to the HTTP session tunneled by SSL. The remote server thus receives the login and the password of the proxy.
When HttpClient connects to a proxy requiring an authentication, the login and password are therefore sent to the remote server.Complete Vigil@nce bulletin....
Share this bulletin
Computer vulnerabilities tracking service
Vigil@nce provides an applications vulnerabilities announce
. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The technology watch team tracks security threats targeting the computer system. The Vigil@nce vulnerability database contains several thousand vulnerabilities.