cURL Docs Security
We take security seriously and develop curl and libcurl to be secure and safe.
If you find or simply suspect a security problem in curl or libcurl, mail us at curl-security at haxx.se (closed list of receivers, mails are not disclosed) and tell.
We appreciate getting notified in advance before you go public with security advisories for the sake of our users.
See also the Vulnerabilities Table to see what versions that are vulnerable to what flaws.
libcurl cert name check ignore
libcurl is vulnerable to a case of missing out the checking of the certificate CN or SAN name field when the digital signature verification is turned off - when built to use OpenSSL.
libcurl offers two separate and independent options for verifying a server's TLS certificate. CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST. The first one tells libcurl to verify the trust chain using a CA cert bundle, while the second tells libcurl to make sure that the name fields in the server certificate meets the criteria. Both options are enabled by default.
This flaw had the effect that when an application disabled CURLOPT_SSL_VERIFYPEER, libcurl mistakenly also disabled the CURLOPT_SSL_VERIFYHOST check. Applications can disable CURLOPT_SSL_VERIFYPEER and still achieve security by doing the check on its own using other means.
libcurl URL decode buffer boundary flaw
The function curl_easy_unescape() decodes URL encoded strings to raw binary data. URL encoded octets are represented with %HH combinations where HH is a two-digit hexadecimal number. The decoded string is written to an allocated memory area that the function returns to the caller.
libcurl cookie domain tailmatch
When communicating over HTTP(S) and having libcurl's cookie engine enabled, libcurl will store and hold cookies for use when subsequent requests are done to hosts and paths that match those kept cookies. Due to a bug in the tailmatching function, libcurl could wrongly send cookies meant for the domain ample.com when communicating with example.com.
libcurl SASL buffer overflow vulnerability
When negotiating SASL DIGEST-MD5 authentication, the function Curl_sasl_create_digest_md5_message() uses the data provided from the server without doing the proper length checks and that data is then appended to a local fixed-size buffer on the stack.
curl SSL CBC IV vulnerability
curl URL sanitization vulnerability
libcurl inappropriate GSSAPI delegation
When doing GSSAPI authentication, libcurl unconditionally performs credential delegation. This hands the server a copy of the client's security credentials, allowing the server to impersonate the client to any other using the same GSSAPI mechanism. This is obviously a very sensitive operation, which should only be done when the user explicitly so directs.
The GSS/Negotiate feature is only used by libcurl for HTTP authentication if told to, and only if libcurl was built with a library that provides the GSSAPI. Many builds of libcurl don't have GSS enabled.
curl local file overwrite
curl offers a command line option --remote-header-name (also usable as -J) which will use the file name of the Content-disposition: header when it saves the downloaded data locally.
curl attempts to cut off the directory parts from any given file name in the header to only store files in the current directory. It will overwrite a local file using the same name as the header specifies.
libcurl data callback excessive length
When downloading compressed content over HTTP and the app as asked libcurl to automatically uncompress it with the CURLOPT_ENCODING option, libcurl could wrongly provide the callback with more data than what the maximum documented amount. An application could thus get tricked into badness if the maximum limit was trusted to be enforced by libcurl itself (as it is documented).
libcurl embedded zero in cert name
SSL and TLS Server certificates contain one or more fields with server name or otherwise matching patterns. These strings are stored as content and length within the certificate, and thus there is no particular terminating character.
curl's OpenSSL interfacing code did faulty assumptions about those names and patterns being zero terminated, allowing itself to be fooled in case a certificate would get a zero byte embedded into one of the name fields. To illustrate, a name that would show this vulnerability could look like:
This cert is thus made for "haxx.se" but curl would erroneously verify it with no complaints for "example.com".
libcurl Arbitrary File Access
When told to follow a "redirect" automatically, libcurl does not question the new target URL but will follow to any new URL that it understands. As libcurl supports FILE:// URLs, a rogue server can thus "trick" a libcurl-using application to read a local file instead of the remote one.
This is a problem, for example, when the application is running on a server and is written to upload or to otherwise provide the transfered data to a user, to another server or to another application etc, as it can be used to expose local files it was not meant to.
The problem can also be exploited for uploading, if the rogue server redirects the client to a local file and thus it would (over)write a local file instead of sending it to the server.
libcurl compiled to support SCP can get tricked to get a file using embedded semicolons, which can lead to execution of commands on the given server. "Location: scp://name:passwd@host/a'``;date >/tmp/test``;'".
Files on servers other than the one running libcurl are also accessible when credentials for those servers are stored in the .netrc file of the user running libcurl. This is most common for FTP servers, but can occur with any protocol supported by libcurl. Files on remote SSH servers are also accessible when the user has an unencrypted SSH key.
libcurl GnuTLS insufficient cert verification
libcurl (when built to use GnuTLS) fails to verify that a peer's certificate hasn't already expired or hasn't yet become valid. This allows malicious servers to present certificates to libcurl that won't be rejected properly.
libcurl TFTP Packet Buffer Overflow
libcurl URL Buffer Overflow
libcurl NTLM Buffer Overflow
libcurl's NTLM function can overflow a stack-based buffer if given a too long user name or domain name. This would happen if you enable NTLM authentication and either:
There is no known exploit/malicious server at the time of this writing.
The notification mail to us about this flaw was also sent to a public wget mailing list and thus became public immediately.
Kerberos Authentication Buffer Overflow
Due to bad usage of the base64 decode function to a stack-based buffer without checking the data length, it was possible for a malicious FTP server to overflow the client during krb4 negotiation. I don't know of any single user that uses krb4-ftp and I'm not even sure it still works 100%. The announcement was done without contacting us.
NTLM Authentication Buffer Overflow
Due to bad usage of the base64 decode function to a stack-based buffer without checking the data length, it was possible for a malicious HTTP server to overflow the client during NTLM negotiation. The announcement was done without contacting us.
Proxy Authentication Header Information Leakage
FTP Server Response Buffer Overflow
When storing an FTP server's error message on failure, there was no check for input length and thus a malicious FTP server could overflow curl's stack based buffer. securityfocus lists two exploits
Page updated December 3, 2013.
web site info