{"vuid":"VU#877625","idnumber":"877625","name":"Proxy auto-config (PAC) files have access to full HTTPS URLs","keywords":["wpad.dat","proxy.pac","PAC","WPAD"],"overview":"Web proxy auto-config (PAC) files are passed the full HTTPS URL in GET requests which may expose sensitive data.","clean_desc":"CWE-212: Improper Cross-boundary Removal of Sensitive Data - CVE-2016-5134 (Google), CVE-2016-1801 (Apple) Web proxy auto-configuration files (proxy.pac) have access to the full URL including the path and parameters in HTTPS GET requests, which may expose sensitive data intended to be protected by HTTPS. This information is passed to the FindProxyForURL() function in the proxy.pac. The PAC file is often retrieved by the browser automatically using the WPAD protocol. An attacker in the position to conduct man-in-the-middle attacks may provide a malicious PAC file capable of exploiting the FindProxyForURL() function to exfiltrate sensitive data.","impact":"An attacker who can provide a specially crafted PAC file can read URLs, including the path and query string, which may contain sensitive information intended to be protected by HTTPS.","resolution":"Apply an update. Apply the latest updates to your browser, see Vendor Information section below. Users who are unable to or do not wish to update their browsers should consider the following workaround.","workarounds":"Disable WPAD. If proxy auto-configuration is not necessary, consider disabling WPAD functionality for your browser.","sysaffected":"This vendors listed below are suspected to be affected by t","thanks":"Thanks to Bas Venis for reporting this vulnerability. We also would like to thank Itzik Kotler and Amit Klein for their presentation at Black Hat 2016, and Alex Chapman and Paul Stone for their presentation at DEF CON 24","author":"This document was written by Trent Novelly.","public":["http://googlechromereleases.blogspot.com/2016/07/stable-channel-update.html","https://support.apple.com/en-us/HT206568"],"cveids":["CVE-2016-5134","CVE-2016-1801"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2016-07-28T20:27:44Z","publicdate":"2016-08-04T00:00:00Z","datefirstpublished":"2016-08-04T18:34:36Z","dateupdated":"2017-07-11T19:46:58Z","revision":25,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"1","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"A","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"N","cvss_availabilityimpact":"N","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"2.9","cvss_basevector":"AV:A/AC:M/Au:N/C:P/I:N/A:N","cvss_temporalscore":"2.3","cvss_environmentalscore":"1.68300400432752","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}