SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   cURL Vendors:   curl.haxx.se
cURL/libcurl HTTP Redirect Processing May Let Remote Users Access Files
SecurityTracker Alert ID:  1021783
SecurityTracker URL:  http://securitytracker.com/id/1021783
CVE Reference:   CVE-2009-0037   (Links to External Site)
Date:  Mar 3 2009
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): after 5.10 and prior to 7.19.4
Description:   A vulnerability was reported in cURL. A remote user may be able to view files on the target system.

A remote server can supply a specially crafted HTTP redirect response to the requesting application (pointing to a 'file://' URL) to cause the application to load a local file instead of the requested resource.

libcurl configurations that use CURLOPT_FOLLOWLOCATION may be affected.

On systems with libcurl compiled to support SCP, a remote server can cause the target application to download arbitrary content. A demonstration exploit command is provided:

Location: scp://name:passwd@host/a'``;date >/tmp/test``;'

The vendor was notified on February 6, 2009.

The original advisory is available at:

http://www.withdk.com/2009/03/03/curllibcurl-redirect-arbitrary-file-access/

David Kierznowski reported this vulnerability.

Impact:   A remote user may be able to view files on the target system in certain situations.
Solution:   The vendor has issued a fixed version (7.19.4).

The vendor's advisory is available at:

http://curl.haxx.se/docs/adv_20090303.html

Vendor URL:  curl.haxx.se/docs/adv_20090303.html (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 19 2009 (Red Hat Issues Fix) cURL/libcurl HTTP Redirect Processing May Let Remote Users Access Files
Red Hat has released a fix for Red Hat Enterprise Linux 2.1, 3, 4, and 5.



 Source Message Contents

Subject:  [Full-disclosure] cURL/libcURL Arbitrary File Access

--===============1170448594==
Content-Type: multipart/alternative; boundary=0015174c1bb8a3f3d2046432ac40

--0015174c1bb8a3f3d2046432ac40
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

cURL/libcURL Arbitrary File Access
Release date: 03/Jan/2009
CVE: CVE-2009-0037

Quote from: http://curl.haxx.se/libcurl/:
"libcurl is a free and easy-to-use client-side URL transfer library,
supporting FTP, FTPS,
HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS and FILE."

This vulnerability could permit remote arbitrary file access and command
execution under =E2=80=9Cless-likely=E2=80=9D circumstances.

This is a joint advisory release with cURL. The latest version addresses
this problem.

Full advisory available here:
http://www.withdk.com/2009/03/03/curllibcurl-redirect-arbitrary-file-access=
/

--0015174c1bb8a3f3d2046432ac40
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p>cURL/libcURL Arbitrary File Access<br>Release date: 03/Jan/2009<br>CVE: =
CVE-2009-0037<br></p><p>Quote from: <a href=3D"http://curl.haxx.se/libcurl/=
">http://curl.haxx.se/libcurl/</a>:<br>&quot;libcurl is a free and easy-to-=
use client-side URL transfer library, supporting FTP, FTPS,<br>
HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS and FILE.&quot;<br>
</p>
<p>This vulnerability could permit remote arbitrary file access and command=
 execution under =E2=80=9Cless-likely=E2=80=9D circumstances.</p><p>This is=
 a joint advisory release with cURL. The latest version addresses this prob=
lem.</p><p>
Full advisory available here:<br><a href=3D"http://www.withdk.com/2009/03/0=
3/curllibcurl-redirect-arbitrary-file-access/">http://www.withdk.com/2009/0=
3/03/curllibcurl-redirect-arbitrary-file-access/</a></p><p><br></p>

--0015174c1bb8a3f3d2046432ac40--


--===============1170448594==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1170448594==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC