[elinks-users] Security bug 937: ELinks reveals POST data to HTTPS proxy

Kalle Olavi Niemitalo kon at iki.fi
Sat Feb 24 04:49:12 PST 2007

"Igor Cappello" <igorkey at gmail.com> writes:

> When I try to authenticate to a page (example: the www.google.com
> account page) which uses https protocol, with a proxy ($http_proxy and
> $https_proxy are ok), I get an error message: "unable to retrieve
> proxy://proxy_addr:proxy_port/https://the_rest_of_the_auth_page_address.php
> (POST DATA) SSL error"

Examining this error revealed a security bug in ELinks,
and the maintainer decided not to delay publication.


If ELinks is making a POST request to an https URL, and a proxy
has been defined for https, ELinks takes the body and Content-*
headers of the POST request and adds them to the CONNECT request
in cleartext.  So the proxy can now snoop all the data that was
supposed to be hidden by TLS, as can anyone between ELinks and
the proxy.  The proxy you are using presumably considers such a
CONNECT request malformed and rejects it entirely.

ELinks 0.10.6 and 0.11.2 have this bug.  Other ELinks versions
that can use a proxy for https also probably have it.  AFAICT,
Links 1.00pre12 and 2.1pre26 cannot use the CONNECT method and so
do not have this bug.

Until the bug is fixed, it is safest to use the https proxy
setting only with trusted proxies connected via secure networks.
Please note that ELinks reads three settings to choose the proxy:
- the protocol.https.proxy.host option,
- the HTTPS_PROXY environment variable, and
- the https_proxy environment variable.
To stop ELinks from using a proxy, you should clear all three.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/elinks-users/attachments/20070224/8617eb50/attachment.sig>

More information about the elinks-users mailing list