Cabal uses Network.HTTP.Proxy which looks up proxy settings via the http_proxy and HTTP_PROXY environment variables.
(Under Windows it also queries the registry for a proxy setting).
Thus, to use cabal behind a proxy one has to put all proxy information into an environment variable.
This is a security related issue when following conditions apply:
Sure, one can argue that the issue is not that big because most users don't work on multi-user systems, even less use systems like Solaris and most proxy password are not that secret.
To fix this there are a few possibilities: