• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: ELinks HTTPS POST Request Information Disclosure Weakness

Severity: MODERATE

Description:

ELinks is a character-mode browser based on lynx.

ELinks is prone to an information-disclosure weakness that stems from a design error.

Specifically, this weakness arises when a browser sends HTTP POST requests to a webserver that supports SSL. If the request is sent through a proxy, the browser uses the CONNECT command to send data to the proxy and fails to encrypt the POST request data. This may allow an attacker to potentially obtain sensitive information by using packet sniffers to capture network traffic and retrieving data in plain-text format. The attacker may then use the sensitive information to carry out other attacks.

This issue creates a false sense of security for a user because they may assume that sensitive data is being encrypted before it is sent to the remote server.

Versions prior to ELinks 0.11.3 are vulnerable to this issue.

Affected Products:

• Debian Linux 4.0
• Debian Linux 4.0 alpha
• Debian Linux 4.0 amd64
• Debian Linux 4.0 arm
• Debian Linux 4.0 hppa
• Debian Linux 4.0 ia-32
• Debian Linux 4.0 ia-64
• Debian Linux 4.0 mips
• Debian Linux 4.0 mipsel
• Debian Linux 4.0 powerpc
• Debian Linux 4.0 s/390
• Debian Linux 4.0 sparc
• ELinks ELinks 0.10.4
• ELinks ELinks 0.10.6
• ELinks ELinks 0.11.1
• ELinks ELinks 0.11.2
• ELinks ELinks 0.9.2
• RedHat Desktop 4.0.0
• RedHat Enterprise Linux 5 server
• RedHat Enterprise Linux AS 4
• RedHat Enterprise Linux Desktop 5 client
• RedHat Enterprise Linux ES 4
• RedHat Enterprise Linux WS 4
• RedHat Fedora Core6
• Ubuntu Ubuntu Linux 6.06 LTS amd64
• Ubuntu Ubuntu Linux 6.06 LTS i386
• Ubuntu Ubuntu Linux 6.06 LTS powerpc
• Ubuntu Ubuntu Linux 6.06 LTS sparc
• Ubuntu Ubuntu Linux 6.10 amd64
• Ubuntu Ubuntu Linux 6.10 i386
• Ubuntu Ubuntu Linux 6.10 powerpc
• Ubuntu Ubuntu Linux 6.10 sparc
• Ubuntu Ubuntu Linux 7.04 amd64
• Ubuntu Ubuntu Linux 7.04 i386
• Ubuntu Ubuntu Linux 7.04 powerpc
• Ubuntu Ubuntu Linux 7.04 sparc
• rPath rPath Linux 1

References:

• Elinks: Elinks Home Page
• Red Hat: RHSA-2007:0933-2 elinks security update
• kon@iki.fi (Kalle Olavi Niemitalo): Bugzilla Bug 937 - ELinks reveals POST data to HTTPS proxy

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.