Mozilla

mozilla

Mozilla Foundation Security Advisory 2005-09

Browser responds to proxy auth request from non-proxy server (ssl/https)

Announced
January 21, 2005
Reporter
Christopher Nebergall
Impact
High
Products
Firefox, Mozilla Suite
Fixed in
  • Firefox 1
  • Mozilla Suite 1.7.5

Description

If a proxy is configured the browser would respond to a 407 proxy auth request from any SSL-connected server rather than only responding to the configured proxy server. This could leak NTLM or SPNEGO credentials outside the organization.

Workaround

Upgrade to the fixed version

References

https://bugzilla.mozilla.org/show_bug.cgi?id=267263