Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3669637 by joesephdiver
When libcurl follows a redirect and the new URL causes proxy re-selection, proxy credentials learned from the originally selected proxy URL can remain in per-transfer state and be reused for the next proxy. In the validated case, a redirect from http:// to https:// switches selection from http_proxy to https_proxy, but credentials from http_proxy=http://user:pass@... are still sent to the https_proxy even when the https_proxy URL contains no credentials. A redirecting server can therefore cause libcurl to send Proxy-Authorization intended for proxy A to proxy B on proxy B’s first request. This appears limited to proxy credentials carried in transfer state, not the intentionally global CURLOPT_PROXYUSERNAME / CURLOPT_PROXYPASSWORD case. As a control, requesting the HTTPS URL directly with the same https_proxy does not send Proxy-Authorization to proxy B. I reproduced this on a local build and observed proxy B receive Proxy-Authorization: Basic dXNlcjpwYXNz on the initial CONNECT.
Reproduced with: curl 8.20.0-DEV (Linux) libcurl/8.20.0-DEV OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 nghttp2/1.43.0 OpenLDAP/2.5.20
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt mqtts pop3 pop3s rtsp smtp smtps telnet tftp ws wss
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3697719 by xkilua
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3642555 by quaccws
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3671818 by arkss
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In