Vigil@nce - curl: credential disclosure via the connection cache
August 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker who controls an HTTP server can collect usernames and
associated password from curl originated requests.
Impacted products: cURL, Fedora, openSUSE, Puppet.
Severity: 2/4.
Creation date: 17/06/2015.
DESCRIPTION OF THE VULNERABILITY
The curl product includes an HTTP client library.
It manages usernames and passwords, notably for the HTTP Basic
authentication. It also manages a cache of opened TCP connections
to be reused as defined by the rules about the HTTP header
"Connection". However, the function curl_easy_reset() does not
clear the credentials stored in these cached connection
descriptors. So, when a client requests a protected resource then
a public one from the same server, the library will reuse a
connection descriptor with credentials and send them.
An attacker who controls an HTTP server can therefore collect
usernames and associated password from curl originated requests.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/curl-credential-disclosure-via-the-connection-cache-17153