ELinks May Disclose POST Request Data in Clear Text to Remote Users
|
|
SecurityTracker Alert ID: 1018764
|
|
SecurityTracker URL: http://securitytracker.com/id?1018764
|
|
CVE Reference: CVE-2007-5034
(Links to External Site)
|
Date: Oct 3 2007
|
Impact: Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 0.11.3
|
Description: A vulnerability was reported in ELinks. A remote user can obtain potentially sensitive data.
When ELinks makes a POST request to an https URL and there is a proxy defined for https, ELinks will add the body and Content-* headers
of the POST request to the CONNECT request in cleartext.
A remote user monitoring network communications between the target user
and the proxy can obtain potentially sensitive data. The proxy itself also can obtain potentially sensitive data.
The original
advisory is available at:
http://bugzilla.elinks.cz/show_bug.cgi?id=937
Kalle Olavi Niemitalo reported this vulnerability.
|
Impact: A remote user can monitor network communications to obtain potentially sensitive data.
|
Solution: The vendor has issued a fixed version (0.11.3).
|
Vendor URL: www.elinks.cz/ (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 3 Oct 2007 15:36:22 -0400
Subject: Elinks
|
http://bugzilla.elinks.cz/show_bug.cgi?id=937
CVE-2007-5034
|
|
