297611 – (CVE-2007-5034) CVE-2007-5034 elinks reveals POST data to HTTPS proxy

Bug 297611 (CVE-2007-5034) - CVE-2007-5034 elinks reveals POST data to HTTPS proxy

Summary: CVE-2007-5034 elinks reveals POST data to HTTPS proxy

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2007-5034
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://bugzilla.elinks.cz/show_bug.cg...
Whiteboard:
Depends On:	297981 297991 303881 303891 303901 303911 833893
Blocks:
TreeView+	depends on / blocked

Reported:	2007-09-20 09:42 UTC by Tomas Hoger
Modified:	2019-09-29 12:21 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-01-07 13:39:59 UTC
Embargoed:

Attachments	(Terms of Use)
0.10.6 upstream patch (7.26 KB, patch) 2007-09-24 19:26 UTC, Josh Bressers	no flags	Details \| Diff
Upstream patch for 0.11.1 (7.26 KB, patch) 2007-09-24 19:26 UTC, Josh Bressers	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2007:0933	0	normal	SHIPPED_LIVE	Moderate: elinks security update	2008-01-08 17:53:47 UTC

Description Tomas Hoger 2007-09-20 09:42:01 UTC

Following problem was reported to elinks bugzilla [1]:

If ELinks is making a POST request to an https URL, and a proxy has been defined
for https, ELinks takes the body and Content-* headers of the POST request and
adds them to the CONNECT request in cleartext.  So the proxy can now snoop all
the data that was supposed to be hidden by TLS, as can anyone between ELinks and
the proxy.  Apparently some proxies also entirely refuse such requests.

[1] http://bugzilla.elinks.cz/show_bug.cgi?id=937

Fixed in 0.11.3, upstream bugzilla contains references to GIT commits in various
branches.

Comment 1 Tomas Hoger 2007-09-20 09:54:36 UTC

Support for HTTPS proxy was introduced in elinks version 0.5rc1.  Version of
elinks as shipped in Red Hat Enterprise Linux 3 is therefore not vulnerable. 
Also links as shipped in Red Hat Enterprise Linux 2.1 does not provide HTTPS
proxy support and is not affected by this problem.

Comment 2 Ondrej Vasik 2007-09-20 11:42:43 UTC

Ok, so it seems to be that affected supported versions are FC-6, F-7, RHEL4 and
RHEL5 - because devel contains 0.11.3 version.  I will update versions for
Fedora, because it is the easiest way, for RHEL4 and RHEL5 we should discuss the
way how to proceed.

Comment 4 Tomas Hoger 2007-09-20 12:06:50 UTC

Thanks Ondrej for feedback.  Created tracking bugs for current Fedora versions.

Comment 5 Josh Bressers 2007-09-24 19:26:03 UTC

Created attachment 204441 [details]
0.10.6 upstream patch

Comment 6 Josh Bressers 2007-09-24 19:26:55 UTC

Created attachment 204461 [details]
Upstream patch for 0.11.1

Comment 14 Tomas Hoger 2008-01-07 13:39:59 UTC

Fixed in all affected products:

Red Hat Enterprise Linux:  	
  http://rhn.redhat.com/errata/RHSA-2007-0933.html

Fedora
  updated to fixed upstream version

Note You need to log in before you can comment on or make changes to this bug.