cURL 'Content-disposition' Header Processing Flaw Lets Remote Users Overwrite Files and Potentially
|
|
SecurityTracker Alert ID: 1024583 |
|
SecurityTracker URL: http://securitytracker.com/id/1024583
|
|
CVE Reference:
CVE-2010-3842
(Links to External Site)
|
Date: Oct 15 2010
|
Impact:
Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 7.20.0 - 7.21.1
|
Description:
A vulnerability was reported in cURL. A remote user can overwrite files on the target system and potentially execute arbitrary code in certain cases.
A remote server can return a specially crafted 'Content-disposition' header value to a connected target user. When the target user invokes cURL with the '--remote-header-name option (or '-J') on operating systems that use backslash characters as a path separator, cURL will write the downloaded file to an arbitrary location (with the privileges of the target user).
This can be exploited to execute arbitrary code on the target system.
Windows, Netware, MSDOS, OS/2, and Symbian systems are affected.
Only the cURL command line is affected. libcurl is not affected.
The vendor was notified on September 3, 2010.
Dan Fandrich reported this vulnerability.
|
Impact:
A remote user can overwrite files and potentially execute arbitrary code on certain target systems.
|
Solution:
The vendor has issued a fix (7.21.2).
The vendor's advisory is available at:
http://curl.haxx.se/docs/adv_20101013.html
|
Vendor URL: curl.haxx.se/docs/adv_20101013.html (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 15 Oct 2010 03:30:06 +0000
Subject: curl
|
> curl local file overwrite
http://curl.haxx.se/docs/adv_20101013.html
CVE-2010-3842
|
|
