cURL
Haxx ad
libcurl
Security

Shopping cart software, Online file storage, Online photo storage, Hosted shopping cart, Contact management software, Email marketing software, Project management software, Issue tracking software, Online notepad, Web publishing software

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Docs > Security

curl Security

Related:
Manual
FAQ
Changelog
GnuTLS sec
OpenSSL sec

We take security seriously and develop curl and libcurl to be secure and safe.

If you find or simply suspect a security problem in curl or libcurl, mail us at curl-security at haxx.se (closed list of receivers, mails are not disclosed) and tell.

We appreciate getting notified in advance before you go public with security advisories for the sake of our users.

See also the Vulnerabilties Table to see what versions that are vulnerable to what flaws.

libcurl embedded zero in cert name

Date:August 12, 2009
ID CVE-2009-2417 (permalink)
Affected versions7.4 to and including 7.19.5
Not affected versions7.19.6 and later
Patchescurl.haxx.se/CVE-2009-2417
Advisories Project cURL Security Advisory

SSL and TLS Server certificates contain one or more fields with server name or otherwise matching patterns. These strings are stored as content and length within the certificate, and thus there is no particular terminating character.

curl's OpenSSL interfacing code did faulty assumptions about those names and patterns being zero terminated, allowing itself to be fooled in case a certificate would get a zero byte embedded into one of the name fields. To illustrate, a name that would show this vulnerability could look like: 

    "example.com\0.haxx.se"

This cert is thus made for "haxx.se" but curl would erroneously verify it with no complaints for "example.com".

According to a recently published presentation, this kind of zero embedding has been proven to be possible with at least one CA.

libcurl Arbitrary File Access

Date:March 3, 2009
ID CVE-2009-0037 (permalink)
Affected versions5.11 to and including 7.19.3
Not affected versions5.10 and earlier, 7.19.4 and later
Patchescurl.haxx.se/CVE-2009-0037
Advisories Project cURL Security Advisory

When told to follow a "redirect" automatically, libcurl does not question the new target URL but will follow to any new URL that it understands. As libcurl supports FILE:// URLs, a rogue server can thus "trick" a libcurl-using application to read a local file instead of the remote one.

This is a problem, for example, when the application is running on a server and is written to upload or to otherwise provide the transfered data to a user, to another server or to another application etc, as it can be used to expose local files it was not meant to.

The problem can also be exploited for uploading, if the rogue server redirects the client to a local file and thus it would (over)write a local file instead of sending it to the server.

libcurl compiled to support SCP can get tricked to get a file using embedded semicolons, which can lead to execution of commands on the given server. "Location: scp://name:passwd@host/a'``;date >/tmp/test``;'".

Files on servers other than the one running libcurl are also accessible when credentials for those servers are stored in the .netrc file of the user running libcurl. This is most common for FTP servers, but can occur with any protocol supported by libcurl. Files on remote SSH servers are also accessible when the user has an unencrypted SSH key.

libcurl GnuTLS insufficient cert verification

Date:July 10, 2007
ID BID 24938 CVE-2007-3564 (permalink)
Affected versions7.14.0 to and including 7.16.3
Not affected versions7.13.2 and earlier, 7.16.4 and later
Patchlibcurl-gnutlscert.patch
Advisories Project cURL Security Advisory

libcurl (when built to use GnuTLS) fails to verify that a peer's certificate hasn't already expired or hasn't yet become valid. This allows malicious servers to present certificates to libcurl that won't be rejected properly.

Notably, the cacert and common name checks are still in place which reduces the risk for random servers to take advantage of this flaw.

libcurl TFTP Packet Buffer Overflow

Date:March 20, 2006
ID BID 17154 SA19271 CVE-2006-1061 (permalink)
Affected versions7.15.0 to and including 7.15.2
Not affected versions7.14.1 and earlier, 7.15.3 and later
Patchlibcurl-tftp.patch
Advisories Project cURL Security Advisory

libcurl uses the given file part of a TFTP URL in a manner that allows a malicious user to overflow a heap-based memory buffer due to the lack of boundary check.

libcurl URL Buffer Overflow

Date:December 7, 2005
IDBID 15756 SA17907 CVE-2005-4077 (permalink)
Affected versions7.11.2 to and including 7.15.0
Not affected versions7.11.1 and earlier, 7.15.1 and later
Patchlibcurl-urllen.patch (Note: for 7.14.0 and earlier the patch MUST be made to do +3 and not just +2.
Advisories Project cURL Security Advisory Hardened-PHP Advisory

libcurl's URL parser function can overflow a malloced buffer in two ways, if given a too long URL.

libcurl NTLM Buffer Overflow

Date:October 13, 2005
IDBID 15102 CAN-2005-3185 (permalink)
Affected versions7.10.6 to and including 7.14.1
Not affected versions7.10.5 and earlier, 7.15.0 and later
Patchlibcurl-ntlmbuf.patch
AdvisoriesProject cURL Security Advisory, iDEFENSE's advisory

libcurl's NTLM function can overflow a stack-based buffer if given a too long user name or domain name. This would happen if you enable NTLM authentication and either:

  1. pass in a user name and domain name to libcurl that together are longer than 192 bytes
  2. allow (lib)curl to follow HTTP "redirects" (Location: and the appropriate HTTP 30x response code) and the new URL contains a URL with a user name and domain name that together are longer than 192 bytes

There is no known exploit/malicious server at the time of this writing.

The notification mail to us about this flaw was also sent to a public wget mailing list and thus became public immediately.

Kerberos Authentication Buffer Overflow

Date:February 21, 2005
IDBID 12616 CAN-2005-0490 (permalink)
Affected versions7.3 to and including 7.13.0
Not affected versions7.13.1 and later
AdvisoriesiDEFENSE's advisory

Due to bad usage of the base64 decode function to a stack-based buffer without checking the data length, it was possible for a malicious FTP server to overflow the client during krb4 negotiation. I don't know of any single user that uses krb4-ftp and I'm not even sure it still works 100%. The announcement was done without contacting us.

NTLM Authentication Buffer Overflow

Date:February 21, 2005
IDBID 12615 CAN-2005-0490 (permalink)
Affected versions7.10.6 to and including 7.13.0
Not affected versions7.13.1 and later
AdvisoriesiDEFENSE's advisory

Due to bad usage of the base64 decode function to a stack-based buffer without checking the data length, it was possible for a malicious HTTP server to overflow the client during NTLM negotiation. The announcement was done without contacting us.

Proxy Authentication Header Information Leakage

Date:August 3, 2003
IDBID 8432 (permalink)
Affected versions7.1 to and including 7.10.6
Not affected versions7.10.7 and later

When curl connected to a site via an HTTP proxy with the CONNECT request, the user and password used for the proxy connection was also sent off to the remote server.

FTP Server Response Buffer Overflow

Date:October 13, 2000
ID BID 1804 CVE-2000-0973 (permalink)
Affected versions6.0 (and possibly earlier) to and including 7.4
Not affected versions7.4.1 and later

When storing an FTP server's error message on failure, there was no check for input length and thus a malicious FTP server could overflow curl's stack based buffer. securityfocus lists two exploits

donate! Page updated December 8, 2009.
web site info

File upload with ASP.NET