curl-users
Re: Too revealing user-agent field?
Date: Wed, 13 Jun 2007 11:11:00 +0800
2007/6/12, Daniel Stenberg <daniel_at_haxx.se>:
>
> Is it?
>
> At least one FreeBSD user seems to think so:
>
> http://www.freebsd.org/cgi/query-pr.cgi?pr=112555
>
> Any opinions on this here?
>
> --
> Commercial curl and libcurl Technical Support: http://haxx.se/curl.html
>
The FreeBSD patch is reasonable because cURL connection exposes much system
libraries' information to remote site. Some of these libraries like OpenSSL
is vital for web application security. If the remote site detects the local
machine is not with the latest patch on these libraires, the local machine
could be the victim of attack.
By taking firefox on Linux as the example, its user-agent field exposed to
remote only contains:
"User-Agent: Mozilla/5.0 (X11; U; Linux i686; zh-CN; rv:1.8.1.4)
Gecko/20070515 Firefox/2.0.0.4\r\n"
Received on 2007-06-13