curl / Mailing Lists / curl-users / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: [SECURITY ADVISORY] curl: trusting FTP PASV responses

From: Paul Gilmartin via curl-users <>
Date: Wed, 9 Dec 2020 07:42:11 -0700

On 2020-12-08, at 23:53:28, Daniel Stenberg via wrote:
> ...
> If curl operates on a URL provided by a user (which by all means is an unwise
> setup), a user can exploit that and pass in a URL to a malicious FTP server
> instance without needing any server breach to perform the attack.
Ouch! "unwise" Without qualification? "man curl" says:
       curl - transfer a URL
       curl [options] [URL...]

Am I at risk with:
    curl --trace-ascii trace

... when I see in "trace":
=> Send header, 6 bytes (0x6)
0000: EPSV
== Info: Connect data stream passively
<= Recv header, 37 bytes (0x25)
0000: 500 'EPSV': command not understood.
== Info: Failed EPSV attempt. Disabling EPSV
=> Send header, 6 bytes (0x6)
0000: PASV
<= Recv header, 50 bytes (0x32)
0000: 227 Entering Passive Mode (170,225,15,26,60,163)
== Info: Trying
== Info: Connecting to ( port 15523
== Info: Connected to ( port 21 (#0)

Is there a remedy?


Received on 2020-12-09