cURL / Mailing Lists / curl-users / Single Mail

curl-users

FLAW: curl reveals proxy authentication

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Sun, 3 Aug 2003 01:26:36 +0200 (CEST)

Hi

curl 7.10.6 and all earlier versions have a pretty signification flaw that
reveal the user name and password used for a proxy, to the remote host.

When proxy authentication is used in a CONNECT request (as used for all SSL
connects and otherwise enforced tunnel-thru-proxy requests), the same
authentication header is also wrongly sent to the remote host.

The name and password can then be captured by an evil host and possibly get
used for malicious purposes.

Fix:
  Apply the attached patch to your libcurl source. It should apply cleanly
to most recent curl versions.

Work-arounds:
 1. Don't use proxy authentication
 2. Make sure your proxy isn't accessible from the outside by anyone who
    might've received your name and password for it.
 3. Don't use curl for this until patched.

Ok, the hour is late now and it is weekend. I'll be releasing another curl
release shortly due to this.

If you have any questions about this flaw or patch, you know where to post
them!

-- 
 Daniel Stenberg -- curl: been grokking URLs since 1998
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
Received on 2003-08-03