cURL / Mailing Lists / curl-users / Single Mail

curl-users

[SECURITY ADVISORY] URL request injection

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 8 Jan 2015 09:39:58 +0100 (CET)

URL request injection
=====================

Project cURL Security Advisory, January 8th 2015 -
[Permalink](http://curl.haxx.se/docs/adv_20150108B.html)

VULNERABILITY
-------------

When libcurl sends a request to a server via a HTTP proxy, it copies the
entire URL into the request and sends if off.

If the given URL contains line feeds and carriage returns those will be sent
along to the proxy too, which allows the program to for example send a
separate HTTP request injected embedded in the URL.

Many programs allow some kind of external sources to set the URL or provide
partial pieces for the URL to ask for, and if the URL as received from the
user is not stripped good enough this flaw allows malicious users to do
additional requests in a way that was not intended, or just to insert request
headers into the request that the program didn't intend.

We are not aware of any exploit of this flaw.

INFO

----
This flaw can also affect the curl command line tool if a similar operation
series is made with that.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2014-8150 to this issue.
AFFECTED VERSIONS
-----------------
- Affected versions: from curl 6.0 to and including 7.39.0
- Not affected versions: libcurl >= 7.40.0
libcurl is used by many applications, but not always advertised as such!
THE SOLUTION
------------
libcurl 7.40.0 makes sure that the URL passed to the proxy may never contain
neither carriage returns nor line feeds characters.
A patch for this problem is available at:
     http://curl.haxx.se/CVE-2014-8150.patch
RECOMMENDATIONS
---------------
We suggest you take one of the following actions immediately, in order of
preference:
A - Upgrade to curl and libcurl 7.40.0
B - Apply the patch and rebuild libcurl
C - Only use URLs that are carefully stripped from line feeds and carriage
     returns
TIME LINE
---------
It was first reported to the curl project on December 25 2014.
We contacted distros_at_openwall on December 28.
libcurl 7.40.0 was released on January 8th 2015, coordinated with the
publication of this advisory.
CREDITS
-------
Reported by Andrey Labunets (Facebook)
Thanks a lot!
-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2015-01-08

This message: [ Message body ]
Next message: Mokhtar BEN MESSAOUD: "curl download performances"
Previous message: Daniel Stenberg: "[SECURITY ADVISORY] darwinssl certificate check bypass"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]