vulnerability CVE-2011-1498

Apache HttpComponents HttpClient: obtaining proxy password

Synthesis of the vulnerability

When HttpClient connects to a proxy requiring an authentication, the login and password are sent to the remote server.
Impacted products: Apache HttpClient, Fedora.
Severity: 2/4.
Creation date: 21/03/2011.
Identifiers: BID-46974, CVE-2011-1498, FEDORA-2011-7747, VIGILANCE-VUL-10465, VU#153049.

Description of the vulnerability

The Apache HttpComponents HttpClient product implements the HTTP protocol.

An HTTP authentication uses:
 - the Authorization header to authenticate on a remote server
 - the Proxy-Authorization header to authenticate on the intermediate proxy

When SSL (https) is used, the Proxy-Authorization header is used to require the proxy to open a session to the remote server. However, HttpClient also adds the Proxy-Authorization header to the HTTP session tunneled by SSL. The remote server thus receives the login and the password of the proxy.

When HttpClient connects to a proxy requiring an authentication, the login and password are therefore sent to the remote server.
Complete Vigil@nce bulletin.... (free access)

Share this bulletin

          

Computer vulnerabilities tracking service

Vigil@nce provides an applications vulnerabilities announce. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The technology watch team tracks security threats targeting the computer system. The Vigil@nce vulnerability database contains several thousand vulnerabilities.