Mozilla Foundation Security Advisory 2005-09
Browser responds to proxy auth request from non-proxy server (ssl/https)
- Announced
- January 21, 2005
- Reporter
- Christopher Nebergall
- Impact
- High
- Products
- Firefox, Mozilla Suite
- Fixed in
-
- Firefox 1
- Mozilla Suite 1.7.5
Description
If a proxy is configured the browser would respond to a 407 proxy auth request from any SSL-connected server rather than only responding to the configured proxy server. This could leak NTLM or SPNEGO credentials outside the organization.
Workaround
Upgrade to the fixed version