Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3677759 by nobcoderr
libcurl can leak .netrc-derived host Authorization credentials across redirected hosts when an HTTP proxy connection is reused. In the PoC, .netrc contains credentials only for a.test, but after a.test redirects to b.test and then c.test over the same keep-alive proxy connection, libcurl sends Authorization: Basic dXNlckE6cGFzc0E= to b.test and c.test. The leaked header is Authorization, not Proxy-Authorization, and the attached controls show the leak disappears when connection reuse is forbidden, when each request uses a new easy handle, and when the same redirect flow is run without a proxy. The issue appears to involve the .netrc / redirect / proxy connection reuse path in lib/url.c and lib/http.c. I reproduced this on curl 8.19.0 / libcurl 8.19.0 on x86_64 Linux. An attachment with the PoC source, server scripts, .netrc file, and captured logs is included.
Reproduced on:
curl 8.19.0 (x86_64-pc-linux-gnu) libcurl/8.19.0 OpenSSL/3.5.5 zlib/1.3.1 brotli/1.2.0 zstd/1.5.7 libidn2/2.3.8 libpsl/0.21.5 libssh2/1.11.1 nghttp2/1.68.1 ngtcp2/1.21.0 nghttp3/1.15.0 librtmp/2.3 mit-krb5/1.22.1 OpenLDAP/2.6.10
Platform:
Linux x86_64
pyus3rA hardcoded backend URL found in a JavaScript bundle exposed an unauthenticated API endpoint that returned 500+ records containing employee full names, enterprise client details, and internal database IDs. The writeup walks through discovering the URL in the JS bundle, querying the API, and the GDPR/business intelligence impact.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3443563 by somerandomdev
pyus3rThis writeup details an Information Disclosure (CWE-200) vulnerability that allowed viewing the source code and complete domain model mapping of a corporate backend.
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In