oss-sec: [SECURITY ADVISORY] curl: Partial password leak over DNS on HTTP redirect

added 25.06.2020 10:27

by Daniel Stenberg from seclists.org

This made curl generate a badly formatted full URL when it would do a redirect and the final re-parsing of the URL would then go bad and wrongly consider a part of the password field to belong to the host name.

When libcurl handles a relative redirect (as opposed to an absolute URL redirect) for an HTTP transfer, the server is only sending a new path to the client and that path is applied on to the existing URL.

In addition, libcurl also allows the credentials to be set in the URL, using the standard RFC 3986 format: In this case, the name and password are URL encoded as that's how they appear in URLs.

From: Daniel Stenberg <daniel () haxx se> Date: Wed, 24 Jun 2020 08:43:30 +0200 (CEST) Partial password leak over DNS on HTTP redirect Project curl Security Advisory, June 24th 2020 - VULNERABILITY ------------- libcurl can be tricked to prepend a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS server(s).

If we also consider a user `dan`, curl would generate a full URL like: `https://dan:passw@rd123 () example com/path` ... while a correct one should have been: `https://dan:passw%40rd123 () example com/path` ... when parsing the wrongly generated URL, libcurl would end up with user name `dan` and password `passw` talking to the host `rd123 () example com`.