You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.0) > MFSA 2005-09

Mozilla Foundation Security Advisory 2005-09

Title: Browser responds to proxy auth request from non-proxy server (ssl/https)
Severity: High
Reporter: Christopher Nebergall
Products: Firefox, Mozilla Suite

Fixed in: Firefox 1.0
  Mozilla Suite 1.7.5

Description

If a proxy is configured the browser would respond to a 407 proxy auth request from any SSL-connected server rather than only responding to the configured proxy server. This could leak NTLM or SPNEGO credentials outside the organization.

Workaround

Upgrade to the fixed version

References

https://bugzilla.mozilla.org/show_bug.cgi?id=267263