libcurl Arbitrary File Access
                         =============================

Project cURL Security Advisory, March 3rd 2009
http://curl.haxx.se/docs/security.html

1. VULNERABILITY

   When told to follow a "redirect" automatically, libcurl does not question
   the new target URL but will follow to any new URL that it understands. As
   libcurl supports FILE:// URLs, a rogue server can thus "trick" a
   libcurl-using application to read a local file instead of the remote one.

   This is a problem, for example, when the application is running on a server
   and is written to upload or to otherwise provide the transfered data to a
   user, to another server or to another application etc, as it can be used to
   expose local files it was not meant to.

   The problem can also be exploited for uploading, if the rogue server
   redirects the client to a local file and thus it would (over)write a local
   file instead of sending it to the server.

   libcurl compiled to support SCP can get tricked to get a file using embedded
   semicolons, which can lead to execution of commands on the given
   server. "Location: scp://name:passwd_at_host/a'``;date >/tmp/test``;'".

   Files on servers other than the one running libcurl are also accessible when
   credentials for those servers are stored in the .netrc file of the user
   running libcurl. This is most common for FTP servers, but can occur with
   any protocol supported by libcurl. Files on remote SSH servers are also
   accessible when the user has an unencrypted SSH key.

   There is no known exploit at the time of this writing.

   The Common Vulnerabilities and Exposures (CVE) project has assigned the name
   CVE-2009-0037 to this issue.

2. AFFECTED VERSIONS

   Affected versions: curl and libcurl 5.11(!) to and including 7.19.3
   Not affected versions: curl and libcurl 5.10 and earlier, 7.19.4 and later

   Also note that (lib)curl is used by many applications, and not always
   advertised as such.

3. THE SOLUTION

   libcurl 7.19.4 introduces a new option called CURLOPT_REDIR_PROTOCOLS, which
   applications can use to tell libcurl what target protocols automatic
   redirect followings are allowed to use. This will by default exclude FILE
   and SCP URLs.

4. RECOMMENDATIONS

   We suggest you take one of the following actions immediately, in order of
   preference:

   A - Upgrade to curl and libcurl 7.19.4

   B - Apply the suitable patch and rebuild

     For current CVS HEAD:
     http://curl.haxx.se/CVE-2009-0037/curl-CVSHEAD-CVE-2009-0037.patch

     For curl 7.19.0:
     http://curl.haxx.se/CVE-2009-0037/curl-7.19.0-CVE-2009-0037.patch

     For curl 7.18.2:
     http://curl.haxx.se/CVE-2009-0037/curl-7.18.2-CVE-2009-0037.patch

     For curl 7.18.1:
     http://curl.haxx.se/CVE-2009-0037/curl-7.18.1-CVE-2009-0037.patch

     For curl 7.16.4:
     http://curl.haxx.se/CVE-2009-0037/curl-7.16.4-CVE-2009-0037.patch

     For curl 7.15.1:
     http://curl.haxx.se/CVE-2009-0037/curl-7.15.1-CVE-2009-0037.patch

     For curl 7.11.0:
     http://curl.haxx.se/CVE-2009-0037/curl-7.11.0-CVE-2009-0037.patch

   C - Disable automatic redirection following in your application and do the
       logic "manually" instead.

5. TIME LINE

   We were notified by David Kierznowski on Feb 6th, 2009.

   We discussed solutions and a first patch was written and tested on Feb 11th.

   Vendor-sec was contacted on Feb 12, 2009.

   We agreed on and coordinated the synchronous disclosure of this problem
   together with the curl 7.19.4 release.

   curl 7.19.4 was released on March 3 2009, just before this flaw was publicly
   disclosed.

6. CREDITS

   Reported to us by David Kierznowski. Thanks a lot!

   Daniel Fandrich researched the issue and helped with the fix.

   Michal Marek brought the SCP side of this issue and did a bunch of the
   patch backports.

   Daniel Stenberg wrote the primary patch and this advisory.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html