Bug 297611 (CVE-2007-5034) - CVE-2007-5034 elinks reveals POST data to HTTPS proxy
Summary: CVE-2007-5034 elinks reveals POST data to HTTPS proxy
Alias: CVE-2007-5034
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://bugzilla.elinks.cz/show_bug.cg...
Depends On: 297981 297991 303881 303891 303901 303911 833893
TreeView+ depends on / blocked
Reported: 2007-09-20 09:42 UTC by Tomas Hoger
Modified: 2019-09-29 12:21 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-01-07 13:39:59 UTC

Attachments (Terms of Use)
0.10.6 upstream patch (7.26 KB, patch)
2007-09-24 19:26 UTC, Josh Bressers
no flags Details | Diff
Upstream patch for 0.11.1 (7.26 KB, patch)
2007-09-24 19:26 UTC, Josh Bressers
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0933 0 normal SHIPPED_LIVE Moderate: elinks security update 2008-01-08 17:53:47 UTC

Description Tomas Hoger 2007-09-20 09:42:01 UTC
Following problem was reported to elinks bugzilla [1]:

If ELinks is making a POST request to an https URL, and a proxy has been defined
for https, ELinks takes the body and Content-* headers of the POST request and
adds them to the CONNECT request in cleartext.  So the proxy can now snoop all
the data that was supposed to be hidden by TLS, as can anyone between ELinks and
the proxy.  Apparently some proxies also entirely refuse such requests.

[1] http://bugzilla.elinks.cz/show_bug.cgi?id=937

Fixed in 0.11.3, upstream bugzilla contains references to GIT commits in various

Comment 1 Tomas Hoger 2007-09-20 09:54:36 UTC
Support for HTTPS proxy was introduced in elinks version 0.5rc1.  Version of
elinks as shipped in Red Hat Enterprise Linux 3 is therefore not vulnerable. 
Also links as shipped in Red Hat Enterprise Linux 2.1 does not provide HTTPS
proxy support and is not affected by this problem.

Comment 2 Ondrej Vasik 2007-09-20 11:42:43 UTC
Ok, so it seems to be that affected supported versions are FC-6, F-7, RHEL4 and
RHEL5 - because devel contains 0.11.3 version.  I will update versions for
Fedora, because it is the easiest way, for RHEL4 and RHEL5 we should discuss the
way how to proceed.

Comment 4 Tomas Hoger 2007-09-20 12:06:50 UTC
Thanks Ondrej for feedback.  Created tracking bugs for current Fedora versions.

Comment 5 Josh Bressers 2007-09-24 19:26:03 UTC
Created attachment 204441 [details]
0.10.6 upstream patch

Comment 6 Josh Bressers 2007-09-24 19:26:55 UTC
Created attachment 204461 [details]
Upstream patch for 0.11.1

Comment 14 Tomas Hoger 2008-01-07 13:39:59 UTC
Fixed in all affected products:

Red Hat Enterprise Linux:  	

  updated to fixed upstream version

Note You need to log in before you can comment on or make changes to this bug.