Project curl Security Advisory, April 29th 2015 - Permalink
libcurl provides applications a way to set custom HTTP headers to be sent to
the server by using CURLOPT_HTTPHEADER. A similar option is available for
the curl command-line tool with the '--header' option.
When the connection passes through an HTTP proxy the same set of headers is sent to the proxy as well by default. While this is by design, it has not necessarily been clear nor understood by application programmers.
Such tunneling over a proxy is done for example when using the HTTPS protocol
- or when explicitly asked for. In this case, the initial connection to the proxy is made in clear including any custom headers using the HTTP CONNECT method.
While libcurl provides the CURLOPT_HEADEROPT option to allow applications to
tell libcurl if the headers should be sent to host and the proxy or use
separate lists to the different destinations, it has still defaulted to
sending the same headers to both parties for the sake of compatibility.
If the application sets a custom HTTP header with sensitive content (e.g., authentication cookies) without changing the default, the proxy, and anyone who listens to the traffic between the application and the proxy, might get access to those values.
Note: this problem does not exist when using the CURLOPT_COOKIE option (or
the --cookie option) or the HTTP auth options, which are always sent only to
the destination server.
This flaw can also affect the curl command line tool if a similar operation series is made with that.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-3153 to this issue.
CWE-201: Information Exposure Through Sent Data
Severity: High
This flaw is relevant for applications that use CURLOPT_HTTPHEADER to set
headers with sensitive values and make HTTPS connections to the server via an
HTTP proxy.
- Affected versions: curl 4.0 to and including 7.42.0
- Not affected versions: curl >= 7.42.1
- Introduced-in: https://github.com/curl/curl/commit/ae1912cb0d494b48d514
In version 7.37.0, libcurl introduced new options allowing applications to
control which headers are sent to the proxy and which are sent only to the
destination server - CURLOPT_HEADEROPT & CURLOPT_PROXYHEADER.
Starting in 7.42.1, the new default for this option is CURLHEADER_SEPARATE.
This has the minor drawback to the rare applications that truly intend the
headers to be sent to both parties, that they need to change this option in
their application.
curl of version >= 7.37 already sends headers that are set with --header
option only to the destination server if --proxy-header is also used.
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 7.42.1
B - Apply the patch to your version and rebuild
C - Set CURLOPT_HEADEROPT to CURLHEADER_SEPARATE
It was first reported to the curl project on March 12 2015. We contacted distros@openwall on April 23.
libcurl 7.42.1 was released on April 29 2015, coordinated with the publication of this advisory.
- Reported-by: Yehezkel Horowitz, Oren Souroujon
- Patched-by: Daniel Stenberg
Thanks a lot!