LWP::UserAgent Cross-Origin Credential Leakage Vulnerability

A vulnerability exists in LWP::UserAgent versions prior to 6.83 for Perl, where Authorization and Proxy-Authorization headers are improperly forwarded during cross-origin redirects. This flaw allows credentials to be sent to an attacker-controlled host, potentially leading to unauthorized access. The issue arises because the redirect handler only removes the Host and Cookie headers, leaving sensitive authorization information intact.

Impact

Exploitation of this vulnerability could result in the unintended disclosure of authorization credentials to a third-party server, particularly in scenarios where cross-origin redirects are involved.

Reproduction

To reproduce this vulnerability, use LWP::UserAgent to send a request that includes Authorization or Proxy-Authorization headers. Ensure that the response includes a cross-origin redirect (302, 303, or 307 status code) to a URL controlled by an attacker. The follow-up request will inadvertently include the authorization headers, thereby leaking credentials to the attacker's server.

Remediation

Users can upgrade to LWP::UserAgent version 6.83 or later, where this vulnerability has been addressed. Instructions for upgrading can be found on MetaCPAN.