When compiled --with-libmetalink
and used with --metalink
and --user
curl will use the credentials for any further transfers performed. This includes different hosts and protocols, even ones without transport layer security such as http
and ftp
. As a result the credentials only intended for the target site may end up being sent to outside hosts, and without transport layer security, and may be intercepted by attackers in man in the middle network position.
For example HTTP redirects will not leak the credentials to other hosts unless if --location-trusted
is used, thus this is unexpected and insecure behaviour.
--with-libmetalink
and build libcurl<url>
referencing data on different host than testsite and using http
protocolcurl --metalink --user professor:Joshua https://testsite/metalinktest.xml
The credentials can be seen by the target host and anyone in man in the middle position:
Authorization: Basic cHJvZmVzc29yOkpvc2h1YQ==
CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) might be a more accurate CWE.
--location-trusted
should be extended to apply to --metalink
as wellLeak of credentials to unauthorized partiesยง