oss-sec mailing list archives
aria2 leaks passwords for HTTP based authentication
From: Dhiraj Mishra <mishra.dhiraj95 () gmail com>
Date: Wed, 2 Jan 2019 11:04:23 +0400
Hi List, aria2 is a lightweight multi-protocol command-line utility which leaks data or potential password via `--log=` attribute for HTTP based authentication which might allow local attackers to obtain sensitive information. This issue is somewhat similar to (2019/01/01/1). It was observed that URL's which gets downloaded via `--log=` attribute store’s sensitive information. Example: aria2c --log=file https://user:passwd () example com/ Later CVE-2019-3500 was assigned to this. Thank you @mishradhiraj_
Current thread:
- aria2 leaks passwords for HTTP based authentication Dhiraj Mishra (Jan 02)