Summary
The library hardcodes CURLOPT_SSL_VERIFYPEER => false in its Curl.php constructor, with no option to override it. HTTP Basic/Digest credentials, proxy credentials, and SSL client certificate passphrases are all sent over this unverified TLS connection.
Note: The README states this project is NOT MAINTAINED. Filing for awareness.
Details
Curl.php — constructor:
$curlOptions = array(
CURLOPT_SSL_VERIFYPEER => false, // HARDCODED — no override possible
...
);
curl_setopt_array($this->ch, $curlOptions);Credentials sent over unverified TLS:
if (isset($options['login'])) {
curl_setopt($this->ch, CURLOPT_USERPWD, $options['login'].':'.$options['password']);
}
if (isset($options['proxy_login'])) {
curl_setopt($this->ch, CURLOPT_PROXYUSERPWD, $options['proxy_login'].':'.$options['proxy_password']);
}
if (isset($options['passphrase'])) {
curl_setopt($this->ch, CURLOPT_SSLCERTPASSWD, $options['passphrase']);
}Impact
- HTTP Basic/Digest credentials transmitted over unverified TLS
- Proxy credentials and SSL client certificate passphrases exposed
- Full SOAP request/response payload visible to MITM attacker
Remediation
Remove CURLOPT_SSL_VERIFYPEER => false from the default options array. PHP 5.6+ defaults are secure.
Severity
CVSS 3.1: 8.1 (HIGH) — AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-295: Improper Certificate Validation
Summary
The library hardcodes
CURLOPT_SSL_VERIFYPEER => falsein its Curl.php constructor, with no option to override it. HTTP Basic/Digest credentials, proxy credentials, and SSL client certificate passphrases are all sent over this unverified TLS connection.Details
Curl.php— constructor:Credentials sent over unverified TLS:
Impact
Remediation
Remove
CURLOPT_SSL_VERIFYPEER => falsefrom the default options array. PHP 5.6+ defaults are secure.Severity
CVSS 3.1: 8.1 (HIGH) — AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-295: Improper Certificate Validation