Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3642555 by quaccws
An attacker sharing a libcurl multi-handle connection pool can hijack another user's Negotiate/Kerberos-authenticated connection. When User A authenticates via Negotiate (SPNEGO) and the connection returns to the pool, User B using CURLAUTH_ANY with different credentials gets that connection attached to their transfer. On servers with persistent Negotiate auth (Windows IIS with Kerberos — the default), User B's requests execute as User A.
The root cause is in url_match_auth_ntlm() (lib/url.c:1092): a tentative match sets m->found for a connection with mismatched credentials, returns FALSE, which exits the matching chain before url_match_auth_nego() can reject the connection. url_match_result() then attaches the connection based solely on m->found being non-NULL, ignoring the FALSE result.
--enable-debug --with-openssl --with-gssapiUSE_NTLM and USE_SPNEGO compiled in (verified via curl_setup.h)CURL_GSS_STUB (debug-build fake GSSAPI)
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3697719 by xkilua
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3669637 by joesephdiver
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3671818 by arkss
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In