Vigil@nce - Curl: file creation via remote-header-name
October 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can invite the victim to connect to a malicious site
with Curl, in order to create a file outside the current directory.
Severity: 2/4
Creation date: 13/10/2010
DESCRIPTION OF THE VULNERABILITY
A web server uses the HTTP Content-Disposition header to suggest a
filename to use to save the url locally. For example:
Content-Disposition: inline; filename="here_the_filename"
The "—remote-header-name" or "-J" option of Curl uses the
suggested filename to save the content of the url in the current
directory. If the file name contains directories, they are
ignored. However, if the directory separator is a "\", and if Curl
runs on a system supporting back-slashes (Windows, Netware, MSDOS,
OS/2 or Symbian), directory names are not correctly filtered.
An attacker can therefore invite the victim to connect to a
malicious site with Curl, in order to create a file outside the
current directory.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Curl-file-creation-via-remote-header-name-10041