SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   ELinks Vendors:   elinks.or.cz
ELinks May Disclose POST Request Data in Clear Text to Remote Users
SecurityTracker Alert ID:  1018764
SecurityTracker URL:  http://securitytracker.com/id/1018764
CVE Reference:   CVE-2007-5034   (Links to External Site)
Date:  Oct 3 2007
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 0.11.3
Description:   A vulnerability was reported in ELinks. A remote user can obtain potentially sensitive data.

When ELinks makes a POST request to an https URL and there is a proxy defined for https, ELinks will add the body and Content-* headers of the POST request to the CONNECT request in cleartext.

A remote user monitoring network communications between the target user and the proxy can obtain potentially sensitive data. The proxy itself also can obtain potentially sensitive data.

The original advisory is available at:

http://bugzilla.elinks.cz/show_bug.cgi?id=937

Kalle Olavi Niemitalo reported this vulnerability.

Impact:   A remote user can monitor network communications to obtain potentially sensitive data.
Solution:   The vendor has issued a fixed version (0.11.3).
Vendor URL:  www.elinks.cz/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 3 2007 (Red Hat Issues Fix) ELinks May Disclose POST Request Data in Clear Text to Remote Users
Red Hat has released a fix for Red Hat Enterprise Linux 4 and 5.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC