cURL/libcurl HTTP Redirect Processing May Let Remote Users Access Files
SecurityTracker Alert ID: 1021783|
SecurityTracker URL: http://securitytracker.com/id/1021783
(Links to External Site)
Date: Mar 3 2009
Disclosure of system information, Disclosure of user information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): after 5.10 and prior to 7.19.4|
A vulnerability was reported in cURL. A remote user may be able to view files on the target system.|
A remote server can supply a specially crafted HTTP redirect response to the requesting application (pointing to a 'file://' URL) to cause the application to load a local file instead of the requested resource.
libcurl configurations that use CURLOPT_FOLLOWLOCATION may be affected.
On systems with libcurl compiled to support SCP, a remote server can cause the target application to download arbitrary content. A demonstration exploit command is provided:
Location: scp://name:passwd@host/a'``;date >/tmp/test``;'
The vendor was notified on February 6, 2009.
The original advisory is available at:
David Kierznowski reported this vulnerability.
A remote user may be able to view files on the target system in certain situations.|
The vendor has issued a fixed version (7.19.4).|
The vendor's advisory is available at:
Vendor URL: curl.haxx.se/docs/adv_20090303.html (Links to External Site)
Access control error|
|Underlying OS: Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: [Full-disclosure] cURL/libcURL Arbitrary File Access|
Content-Type: multipart/alternative; boundary=0015174c1bb8a3f3d2046432ac40
Content-Type: text/plain; charset=UTF-8
cURL/libcURL Arbitrary File Access
Release date: 03/Jan/2009
Quote from: http://curl.haxx.se/libcurl/:
"libcurl is a free and easy-to-use client-side URL transfer library,
supporting FTP, FTPS,
HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS and FILE."
This vulnerability could permit remote arbitrary file access and command
execution under =E2=80=9Cless-likely=E2=80=9D circumstances.
This is a joint advisory release with cURL. The latest version addresses
Full advisory available here:
Content-Type: text/html; charset=UTF-8
<p>cURL/libcURL Arbitrary File Access<br>Release date: 03/Jan/2009<br>CVE: =
CVE-2009-0037<br></p><p>Quote from: <a href=3D"http://curl.haxx.se/libcurl/=
">http://curl.haxx.se/libcurl/</a>:<br>"libcurl is a free and easy-to-=
use client-side URL transfer library, supporting FTP, FTPS,<br>
HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS and FILE."<br>
<p>This vulnerability could permit remote arbitrary file access and command=
execution under =E2=80=9Cless-likely=E2=80=9D circumstances.</p><p>This is=
a joint advisory release with cURL. The latest version addresses this prob=
Full advisory available here:<br><a href=3D"http://www.withdk.com/2009/03/0=
Content-Type: text/plain; charset="us-ascii"
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/