wal-02: Java HTTP proxy credentials exposure

Abstract problem description

HTTP proxy user credentials were exposed to untrusted applets.

Cross reference

Sun Alert 55101

Vendor contact

Shortly after I discovered the issue, I reported it to Sun on December 13th, 2001. Later I found another variant, that I reported on March 15th, 2002.

I am not aware of Java implementations by other vendors that are vulnerable to this issue.

Disclosure policy

I did not release details of the vulnerability before a two month grace period expired after the issue was announced (and when it expired, it took me a while to actually get to it, sorry).

Detailed problem description

There are two variants, that don't have much in common, besides that both allow for exposure of HTTP proxy credentials to unprivileged web applets.

One variant is trivial:


   URLConnection.getRequestProperty("proxy-authorization")

The other variant works because the proxy dialog is executed in the applets AppContext, and so the applet has access to the keystrokes that the user does to authenticate him/herself.


   java.awt.Toolkit.getDefaultToolkit().getSystemEventQueue()

The first variant only poses a security problem if the Basic Access Authentication Scheme is used. The second variant requires the hostile applet to trigger the proxy authorization dialog, so it would only work if the hostile applet was the first to require proxy authentication for a browser session.

References

Disclaimer & Copying

This comes with ABSOLUTELY NO WARRANTY! Copying and quoting permitted.

History

Date Version Change
October 02, 2006 1.2 Removed superfluous sections. Fixed broken link. HTML format.
December 16, 2003 1.1 Detailed problem description.
June 10, 2003 1.0 First release.

Author

Harmen van der Wal