FERRAMENTAS LINUX: Stop Leaking Passwords: The LWP::UserAgent Redirect Vulnerability (CVE‑2026‑8368)

sábado, 16 de maio de 2026

Stop Leaking Passwords: The LWP::UserAgent Redirect Vulnerability (CVE‑2026‑8368)

 


our Perl scripts might be leaking passwords to attackers. This old LWP::UserAgent flaw (CVE-2026-8368) sends credentials on cross-origin redirects. Learn how to check, patch, and mitigate on openSUSE – plus build tools to catch the next zero‑day before it bites

Back in May 2026, a quietly dangerous flaw was found in LWP::UserAgent, the HTTP client that countless Perl scripts rely on. The bug was simple but nasty: when following a redirect (a 3xx response), the module stripped Host and Cookie headers but left Authorization and Proxy‑Authorization intact. 


That meant your API keys, basic auth passwords, or proxy credentials could be sent to an attacker‑controlled server if a site you trusted redirected you there.

The patch went out in version 6.83 (the openSUSE update is perl-libwww-perl‑6.830.0‑1.1). But that was months ago. The real lesson isn't about one CVE – it’s about building a mindset and toolkit to handle the next one, and the one after that.


How to check if you are still vulnerable

On openSUSE Tumbleweed, run:
bash
zypper info perl-libwww-perl | grep Version


If the version is lower than 6.830.0, you are vulnerable.

To see which installed packages came from the vulnerable range:
bash
rpm -q perl-libwww-perl

And to list every Perl module that pulls in LWP and might be exposing your credentials
bash
perl -MLWP::UserAgent -e 'print $LWP::UserAgent::VERSION'


Automation script to apply the fix

Save this as patch-lwp-leak.sh and run it as root on any openSUSE system:
bash
#!/bin/bash
# patch-lwp-leak.sh – updates libwww-perl and verifies the fix

set -euo pipefail

echo "[+] Refreshing repositories..."
zypper --non-interactive refresh

echo "[+] Installing fixed perl-libwww-perl..."
zypper --non-interactive install --allow-vendor-change perl-libwww-perl-6.830.0

echo "[+] Verifying version..."
VERSION=$(perl -MLWP::UserAgent -e 'print $LWP::UserAgent::VERSION')
if [[ "$VERSION" == "6.83" ]]; then
    echo "[✓] Fixed version $VERSION installed."
else
    echo "[!] Version mismatch: $VERSION . Manual check required."
    exit 1
fi

echo "[+] Done. This script solves one CVE. But real security comes from understanding."



his script handles exactly this vulnerability. To learn how to write such scripts for any future CVE, you need the book "Practical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly". 

That book teaches you to build tools that dissect malware – not just chase patches. 

Pratical Binary Analysis  (adversiting) -> https://amzn.to/4forNaC


A patch fixes the hole, but attackers don't just send malformed IPs; they deliver malware that exploits the flaw, persists, and phones home. The companion "Practical Malware Analysis: The Hands‑On Guide to Dissecting Malicious Software" shows you how to tear apart the real payloads that exploit these CVEs. 

Stop chasing patches – learn to dissect the malware that exploits them.

Pratical Malware Analysis (adversiting) -> https://amzn.to/4tK36sX

I earn a comission with you make a purchase.


Alternative mitigation if you can't update now

If you are stuck on an older version (legacy system, frozen dependency), you have options:

1. Block cross‑origin redirects at the application level

In your Perl code, disable automatic redirects and handle them manually:
perl
use HTTP::Request;
use LWP::UserAgent;

my $ua = LWP::UserAgent->new;
$ua->max_redirects(0);  # No automatic follow
my $response = $ua->request($request);

if ($response->is_redirect) {
    my $new_url = $response->header('Location');
    # Only follow if same origin
    if (is_same_origin($request->uri, $new_url)) {
        $response = $ua->get($new_url);
    } else {
        warn "Cross-origin redirect blocked: $new_url";
    }
}

2. Strip sensitive headers before any request

Override the redirect_ok method to remove Authorization and Proxy‑Authorization:
perl
package SafeUA;
use parent 'LWP::UserAgent';

sub redirect_ok {
    my ($self, $request, $response) = @_;
    $request->remove_header('Authorization', 'Proxy-Authorization');
    return $self->SUPER::redirect_ok($request, $response);
}

3. Network‑level containment with iptables

If you cannot modify the code, restrict outbound connections from the vulnerable process to only trusted IPs:
bash
# Allow only connections to 192.168.1.0/24 and drop everything else
iptables -A OUTPUT -m owner --uid-owner wwwrun -d 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner wwwrun -j DROP


4. AppArmor profile to constrain the interpreter

On openSUSE, AppArmor can limit which network resources a process can access. Write a profile for /usr/bin/perl that blocks connections to external networks unless explicitly allowed.

Conclusion

A single zypper patch fixes this CVE. But next week there will be another. The professionals who stay ahead aren't the ones who update fastest – they are the ones who can reverse the malware that weaponizes these flaws.
Cezar Henrique da Costa e Souza at
Marcadores: Linux, Android, Segurança

Nenhum comentário:

Postar um comentário

Assinar: Postar comentários (Atom)