curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: "URLs are dangerous things"

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 8 Feb 2018 09:51:53 +0100 (CET)

On Wed, 7 Feb 2018, Dan Fandrich wrote:

> If the application/script sets --netrc then an attacker would just need to
> supply a username and curl would fill in the password, allowing attacks on
> machines that honoured those credentials (probably only local machines). And
> if --negotiate or --ntlm are enabled, then the attacker may not even need to
> supply a username to attack a local machine, as the request could be
> automatically authenticated as the local user.

Oh yes, excellent thinking. Thanks, I consider that a pretty strong argument
for adding an option that switches off this ability.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Received on 2018-02-08

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: curl_easy_getinfo return codes"
Previous message: Patrick Schlangen: "AW: Issue with Outputting CURL Verbose Info to a File"
In reply to: Dan Fandrich: "Re: "URLs are dangerous things""
Next in thread: Dan Fandrich: "Re: "URLs are dangerous things""

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]