curl / Docs / curl CVEs / Arbitrary File Access

CVE-2009-0037

Arbitrary File Access

Project curl Security Advisory, March 3rd 2009 Permalink

VULNERABILITY

When told to follow a "redirect" automatically, libcurl does not question the new target URL but follows it to any new URL that it understands. As libcurl supports FILE:// URLs, a rogue server can thus "trick" a libcurl-using application to read a local file instead of the remote one.

This is a problem, for example, when the application is running on a server and is written to upload or to otherwise provide the transferred data to a user, to another server or to another application etc, as it can be used to expose local files it was not meant to.

The problem can also be exploited for uploading, if the rogue server redirects the client to a local file and thus it would (over)write a local file instead of sending it to the server.

libcurl compiled to support SCP can get tricked to get a file using embedded semicolons, which can lead to execution of commands on the given server. Location: scp://name:passwd@host/a;date >/tmp/test;.

Files on servers other than the one running libcurl are also accessible when credentials for those servers are stored in the .netrc file of the user running libcurl. This is most common for FTP servers, but can occur with any protocol supported by libcurl. Files on remote SSH servers are also accessible when the user has an unencrypted SSH key.

INFO

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-0037 to this issue.

CWE-142: Improper Neutralization of Value Delimiters

Severity: Medium

AFFECTED VERSIONS

Also note that (lib)curl is used by many applications, and not always advertised as such.

SOLUTION

libcurl 7.19.4 introduces a new option called CURLOPT_REDIR_PROTOCOLS, which applications can use to tell libcurl what target protocols automatic redirect followings are allowed to use. By default this excludes FILE and SCP URLs.

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade to curl and libcurl 7.19.4

B - Apply the suitable patch and rebuild

C - Disable automatic redirection following in your application and do the logic "manually" instead.

TIMELINE

We were notified on Feb 6 2009.

We discussed solutions and a first patch was written and tested on Feb 11.

Vendor-sec was contacted on Feb 12, 2009.

We agreed on and coordinated the synchronous disclosure of this problem together with the curl 7.19.4 release.

curl 7.19.4 was released on March 3 2009, just before this flaw was publicly disclosed.

CREDITS

Daniel Fandrich researched the issue and helped with the fix.

Michal Marek brought the SCP side of this issue and did a bunch of the patch backports.

Daniel Stenberg wrote the primary patch and this advisory.