Vigil@nce - libcurl: information disclosure via COPYPOSTFIELDS
November 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker who owns an HTTP server a client of which is a libcrul
based application may receive sensitive information.
Impacted products: cURL, Debian
Severity: 1/4
Creation date: 05/11/2014
DESCRIPTION OF THE VULNERABILITY
The libcurl product is a Web client library.
The library may be used to post forms. It provides a function to
clone a descriptor, to be used when the application has to send
several similar requests: curl_easy_setopt(CURL *handle,
CURLOPT_COPYPOSTFIELDS, char *data). However, the implementation
of the COPYPOSTFIELDS option keeps the application pointer to the
data instead of using the copy that the function just did. So,
when the request is eventually sent, the current content of the
application buffer is sent instead of the planned buffer.
An HTTP server therefore receives data which should not be sent
and which are potentially sensitive.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/libcurl-information-disclosure-via-COPYPOSTFIELDS-15586