sensitive HTTP server headers also sent to proxies
Project curl Security Advisory, April 29th 2015 - Permalink
libcurl provides applications a way to set custom HTTP headers to be sent to the server by using
CURLOPT_HTTPHEADER. A similar option is available for the curl command-line tool with the '--header' option.
When the connection passes through an HTTP proxy the same set of headers is sent to the proxy as well by default. While this is by design, it has not necessarily been clear nor understood by application programmers.
Such tunneling over a proxy is done for example when using the HTTPS protocol
- or when explicitly asked for. In this case, the initial connection to the proxy is made in clear including any custom headers using the HTTP CONNECT method.
While libcurl provides the
CURLOPT_HEADEROPT option to allow applications to tell libcurl if the headers should be sent to host and the proxy or use separate lists to the different destinations, it has still defaulted to sending the same headers to both parties for the sake of compatibility.
If the application sets a custom HTTP header with sensitive content (e.g., authentication cookies) without changing the default, the proxy, and anyone who listens to the traffic between the application and the proxy, might get access to those values.
Note: this problem doesn't exist when using the
CURLOPT_COOKIE option (or the '--cookie' option) or the HTTP auth options, which are always sent only to the destination server.
This flaw can also affect the curl command line tool if a similar operation series is made with that.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-3153 to this issue.
CWE-201: Information Exposure Through Sent Data
This flaw is relevant for applications that use
CURLOPT_HTTPHEADER to set headers with sensitive values and make HTTPS connections to the server via an HTTP proxy.
In version 7.37.0, libcurl introduced new options allowing applications to control which headers are sent to the proxy and which are sent only to the destination server -
CURLOPT_HEADEROPT & CURLOPT_PROXYHEADER.
Starting in 7.42.1, the new default for this option will be
CURLHEADER_SEPARATE. This has the minor drawback to the rare applications that truly intend the headers to be sent to both parties, that they need to change this option in their application.
curl of version >= 7.37 already sends headers that are set with '--header' option only to the destination server if --proxy-header is also used.
A patch for this problem that changes the default is available at:
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 7.42.1
B - Apply the patch to your version and rebuild
C - Set
It was first reported to the curl project on March 12 2015. We contacted distros@openwall on April 23.
libcurl 7.42.1 was released on April 29 2015, coordinated with the publication of this advisory.
Reported by Yehezkel Horowitz and Oren Souroujon.
Thanks a lot!