cURL/libcurl HTTP Redirect Processing May Let Remote Users Access Files
|
|
SecurityTracker Alert ID: 1021783 |
|
SecurityTracker URL: http://securitytracker.com/id/1021783
|
|
CVE Reference:
CVE-2009-0037
(Links to External Site)
|
Date: Mar 3 2009
|
Impact:
Disclosure of system information, Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): after 5.10 and prior to 7.19.4
|
Description:
A vulnerability was reported in cURL. A remote user may be able to view files on the target system.
A remote server can supply a specially crafted HTTP redirect response to the requesting application (pointing to a 'file://' URL) to cause the application to load a local file instead of the requested resource.
libcurl configurations that use CURLOPT_FOLLOWLOCATION may be affected.
On systems with libcurl compiled to support SCP, a remote server can cause the target application to download arbitrary content. A demonstration exploit command is provided:
Location: scp://name:passwd@host/a'``;date >/tmp/test``;'
The vendor was notified on February 6, 2009.
The original advisory is available at:
http://www.withdk.com/2009/03/03/curllibcurl-redirect-arbitrary-file-access/
David Kierznowski reported this vulnerability.
|
Impact:
A remote user may be able to view files on the target system in certain situations.
|
Solution:
The vendor has issued a fixed version (7.19.4).
The vendor's advisory is available at:
http://curl.haxx.se/docs/adv_20090303.html
|
Vendor URL: curl.haxx.se/docs/adv_20090303.html (Links to External Site)
|
Cause:
Access control error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Subject: [Full-disclosure] cURL/libcURL Arbitrary File Access
|
--===============1170448594==
Content-Type: multipart/alternative; boundary=0015174c1bb8a3f3d2046432ac40
--0015174c1bb8a3f3d2046432ac40
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
cURL/libcURL Arbitrary File Access
Release date: 03/Jan/2009
CVE: CVE-2009-0037
Quote from: http://curl.haxx.se/libcurl/:
"libcurl is a free and easy-to-use client-side URL transfer library,
supporting FTP, FTPS,
HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS and FILE."
This vulnerability could permit remote arbitrary file access and command
execution under =E2=80=9Cless-likely=E2=80=9D circumstances.
This is a joint advisory release with cURL. The latest version addresses
this problem.
Full advisory available here:
http://www.withdk.com/2009/03/03/curllibcurl-redirect-arbitrary-file-access=
/
--0015174c1bb8a3f3d2046432ac40
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<p>cURL/libcURL Arbitrary File Access<br>Release date: 03/Jan/2009<br>CVE: =
CVE-2009-0037<br></p><p>Quote from: <a href=3D"http://curl.haxx.se/libcurl/=
">http://curl.haxx.se/libcurl/</a>:<br>"libcurl is a free and easy-to-=
use client-side URL transfer library, supporting FTP, FTPS,<br>
HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS and FILE."<br>
</p>
<p>This vulnerability could permit remote arbitrary file access and command=
execution under =E2=80=9Cless-likely=E2=80=9D circumstances.</p><p>This is=
a joint advisory release with cURL. The latest version addresses this prob=
lem.</p><p>
Full advisory available here:<br><a href=3D"http://www.withdk.com/2009/03/0=
3/curllibcurl-redirect-arbitrary-file-access/">http://www.withdk.com/2009/0=
3/03/curllibcurl-redirect-arbitrary-file-access/</a></p><p><br></p>
--0015174c1bb8a3f3d2046432ac40--
--===============1170448594==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1170448594==--
|
|
