Title: Proxytunnel Local Proxy Credential Disclosure Vulnerability
Severity: MODERATE
Description:
proxytunnel is an HTTPS tunnel implementation that forwards stdin and stdout through HTTPS. It is available for Linux and Microsoft Windows operating systems.
A vulnerability exists in proxytunnel that has the potential to expose proxy credentials to other local users. The author has reported that security changes have been made in the 'cmdline.c' source file to allow proxyuser/proxypass to be passed via environment variables as opposed to through the command-line. When credentials are specified through the command-line, it may be possible for other users to view them in system process information with a utility such as 'ps'.
Credentials that have been leaked in this manner may be abused to gain unauthorized access to the proxy.
Affected Products:
- proxytunnel proxytunnel 1.0.6
- proxytunnel proxytunnel 1.1.3
References:
- proxytunnel: proxytunnel 1.2.0 Changes
- proxytunnel: proxytunnel Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
