Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: [SECURITY ADVISORY] curl: trusting FTP PASV responses
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Paul Gilmartin via curl-users <curl-users_at_cool.haxx.se>
Date: Wed, 9 Dec 2020 07:42:11 -0700
On 2020-12-08, at 23:53:28, Daniel Stenberg via wrote:
> ...
> If curl operates on a URL provided by a user (which by all means is an unwise
> setup), a user can exploit that and pass in a URL to a malicious FTP server
> instance without needing any server breach to perform the attack.
>
Ouch! "unwise" Without qualification? "man curl" says:
curl(1)
NAME
curl - transfer a URL
SYNOPSIS
curl [options] [URL...]
Am I at risk with:
curl --trace-ascii trace ftp://service.boulder.ibm.com/s390/holddata/full.txt
... when I see in "trace":
=> Send header, 6 bytes (0x6)
0000: EPSV
== Info: Connect data stream passively
<= Recv header, 37 bytes (0x25)
0000: 500 'EPSV': command not understood.
== Info: Failed EPSV attempt. Disabling EPSV
=> Send header, 6 bytes (0x6)
0000: PASV
<= Recv header, 50 bytes (0x32)
0000: 227 Entering Passive Mode (170,225,15,26,60,163)
== Info: Trying 170.225.15.26:15523...
== Info: Connecting to 170.225.15.26 (170.225.15.26) port 15523
== Info: Connected to service.boulder.ibm.com (170.225.15.26) port 21 (#0)
Is there a remedy?
Thanks,
gil
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-12-09
Date: Wed, 9 Dec 2020 07:42:11 -0700
On 2020-12-08, at 23:53:28, Daniel Stenberg via wrote:
> ...
> If curl operates on a URL provided by a user (which by all means is an unwise
> setup), a user can exploit that and pass in a URL to a malicious FTP server
> instance without needing any server breach to perform the attack.
>
Ouch! "unwise" Without qualification? "man curl" says:
curl(1)
NAME
curl - transfer a URL
SYNOPSIS
curl [options] [URL...]
Am I at risk with:
curl --trace-ascii trace ftp://service.boulder.ibm.com/s390/holddata/full.txt
... when I see in "trace":
=> Send header, 6 bytes (0x6)
0000: EPSV
== Info: Connect data stream passively
<= Recv header, 37 bytes (0x25)
0000: 500 'EPSV': command not understood.
== Info: Failed EPSV attempt. Disabling EPSV
=> Send header, 6 bytes (0x6)
0000: PASV
<= Recv header, 50 bytes (0x32)
0000: 227 Entering Passive Mode (170,225,15,26,60,163)
== Info: Trying 170.225.15.26:15523...
== Info: Connecting to 170.225.15.26 (170.225.15.26) port 15523
== Info: Connected to service.boulder.ibm.com (170.225.15.26) port 21 (#0)
Is there a remedy?
Thanks,
gil
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-12-09