March 4th, 2009, 11:09 PM
|
|
Frequent Poster
|
|
Join Date: Jun 2007
Posts: 476
|
|
Security update for cURL
Quote:
A security update for cURL, the file transfer utility, and its associated libcurl library has been released to fix a vulnerability which could allow an attacker to examine files on a system, or possibly even write files. The cause of the problem is the cURL (Client for URL) automatic redirection feature.
This allows a remote site to redirect http:// requests to file:// which would then read a local file. A site that used cURL based applications could be tricked into downloading from what it thinks is a http:// URL and find itself redirected to using a local file, which may then be exposed in some other way by the site. According to the advisory the problem can also be exploited to overwrite local files. If SCP support has been enabled in libcurl, there is also a possibility that using embedded semi-colons can be used to execute commands on a server.
|
The H Security
Quote:
Also note that (lib)curl is used by many applications, and not always advertised as such.
|
http://curl.haxx.se/docs/adv_20090303.html
|
