Vigil@nce: cURL, local file reading
March 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can use a redirect to force cURL to read a local file.
Gravity: 2/4
Consequences: user access/rights, data reading
Provenance: internet server
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 03/03/2009
IMPACTED PRODUCTS
– cURL
– Fedora
– Mandriva Corporate
– Mandriva Linux
– Mandriva Multi Network Firewall
DESCRIPTION OF THE VULNERABILITY
The cURL, and the libcurl library, can download documents with
several protocols:
http://site/doc
ftp://site/doc
file///tmp/doc
etc.
The HTTP protocol can redirect a query via the Location header.
For example, cURL can request http://site/doc, and the site can
indicate to go to http://site2/doc.
However, cURL also accepts redirections using a non web protocol.
For example, cURL can request http://attaquant/doc, and the site
can indicate to go to file:///tmp/doc. The cURL program thus uses
the /tmp/doc file. Depending on the context, this file can then
for example be stored on a public web site, where the attacker
will be able to read it.
An attacker can therefore use a redirect to force cURL to read a
local file.
CHARACTERISTICS
Identifiers: adv_20090303, BID-33962, CVE-2009-0037,
FEDORA-2009-2247, FEDORA-2009-2265, MDVSA-2009:069,
VIGILANCE-VUL-8501
http://vigilance.fr/vulnerability/cURL-local-file-reading-8501