HTTP proxy user credentials were exposed to untrusted applets.
Shortly after I discovered the issue, I reported it to Sun on December 13th, 2001. Later I found another variant, that I reported on March 15th, 2002.
I am not aware of Java implementations by other vendors that are vulnerable to this issue.
I did not release details of the vulnerability before a two month grace period expired after the issue was announced (and when it expired, it took me a while to actually get to it, sorry).
There are two variants, that don't have much in common, besides that both allow for exposure of HTTP proxy credentials to unprivileged web applets.
One variant is trivial:
URLConnection.getRequestProperty("proxy-authorization")
The other variant works because the proxy dialog is executed in the applets AppContext, and so the applet has access to the keystrokes that the user does to authenticate him/herself.
java.awt.Toolkit.getDefaultToolkit().getSystemEventQueue()
The first variant only poses a security problem if the Basic Access Authentication Scheme is used. The second variant requires the hostile applet to trigger the proxy authorization dialog, so it would only work if the hostile applet was the first to require proxy authentication for a browser session.
This comes with ABSOLUTELY NO WARRANTY! Copying and quoting permitted.
| Date | Version | Change |
|---|---|---|
| October 02, 2006 | 1.2 | Removed superfluous sections. Fixed broken link. HTML format. |
| December 16, 2003 | 1.1 | Detailed problem description. |
| June 10, 2003 | 1.0 | First release. |