CVE-2013-0249 – cURL - Buffer Overflow (PoC)
https://notcve.org/view.php?id=CVE-2013-0249
Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the realm parameter in a (1) POP3, (2) SMTP or (3) IMAP message. Desbordamiento de búfer basado en pila en la función de curl_sasl_create_digest_md5_message de libcurl en lib/curl_sasl.c v7.26.0 hasta v7.28.1 a durante la negociación de la autenticación SASL DIGEST-MD5, lo que permite a atacantes remotos provocar una denegación de servicio (caída de la aplicación) y posiblemente ejecutar código de su elección a través de una cadena demasiado larga en el parámetro 'realm' en un mensaje (1) POP3, (2) SMTP o (3) IMAP. • https://www.exploit-db.com/exploits/24487 http://blog.volema.com/curl-rce.html http://curl.haxx.se/docs/adv_20130206.html http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html http://lists.fedoraproject.org/pipermail/package-announce/2013-February/099140.html http://nakedsecurity.sophos.com/2013/02/10/anatomy-of-a-vulnerability-curl-web-download-toolkit-holed-by-authentication-bug http://packetstormsecurity.com/files/120147/cURL-Buffer-Overflow.html http://packetstormsecurity.com • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2012-0036
https://notcve.org/view.php?id=CVE-2012-0036
curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol. curl y libcurl v7.2x anteriores v7.24.0 no consideran de forma adecuada los caracteres especiales cuando extraen una ruta de un fichero de una URL, lo que permite a atacantes remotos realizar ataques de injección de datos mediente una URL manipulada, como se demostró mediante un atque de injección CRLF sobre los protocolos (1) IMAP, (2) POP3, y (3) SMTP. • http://curl.haxx.se/curl-url-sanitize.patch http://curl.haxx.se/docs/adv_20120124.html http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041 http://lists.apple.com/archives/security-announce/2012/May/msg00001.html http://secunia.com/advisories/48256 http://security.gentoo.org/glsa/glsa-201203-02.xml http://support.apple.com/kb/HT5281 http://www.debian.org/security/2012/dsa-2398 http://www.mandriva.com/security/advisories?name=MDVSA-2012:058 http: • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2011-3389 – HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)
https://notcve.org/view.php?id=CVE-2011-3389
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack. El protocolo SSL, como se utiliza en ciertas configuraciones en Microsoft Windows y Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera y otros productos, cifra los datos mediante el uso del modo CBC con vectores de inicialización encadenados, lo que permite a atacantes man-in-the-middle obtener cabeceras HTTP en texto plano a través de un ataque blockwise chosen-boundary (BCBA) en una sesión HTTPS, junto con el código de JavaScript que usa (1) la API WebSocket HTML5, (2) la API Java URLConnection o (3) la API Silverlight WebClient, también conocido como un ataque "BEAST". • http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx http://curl.haxx.se/docs/adv_20120124B.html http://downloads.asterisk.org/pub/security/AST-2016-001.html http://ekoparty.org/2011/juliano-rizzo.php http://eprint.iacr.org/2004/111 http: • CWE-326: Inadequate Encryption Strength •
CVE-2010-3842
https://notcve.org/view.php?id=CVE-2010-3842
Absolute path traversal vulnerability in curl 7.20.0 through 7.21.1, when the --remote-header-name or -J option is used, allows remote servers to create or overwrite arbitrary files by using \ (backslash) as a separator of path components within the Content-disposition HTTP header. Vulnerabilidad de salto de directorio absoluto en curl v7.20.0 hasta v7.21.1, cuando se utiliza la opción --remote-header-name o -J, permite a los servidores remotos crear o sobreescribir archivos arbitrarios mediante el uso de \ (barra invertida) como un separador de componentes de la ruta dentro de la cabecera HTTP Content-disposition. • http://curl.haxx.se/docs/adv_20101013.html http://secunia.com/advisories/39532 http://securitytracker.com/id?1024583 http://www.openwall.com/lists/oss-security/2010/10/13/1 http://www.openwall.com/lists/oss-security/2010/10/13/4 http://www.openwall.com/lists/oss-security/2010/10/13/5 https://bugzilla.redhat.com/show_bug.cgi?id=642642 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2009-0037 – cURL/libcURL 7.19.3 - HTTP 'Location:' Redirect Security Bypass
https://notcve.org/view.php?id=CVE-2009-0037
The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL. La implementación de redirección en curl y libcurl v5.11 hasta v7.19.3, cuando CURLOPT_FOLLOWLOCATION esta activado, acepta valores de localización a elección del usuario, lo que permite a servidores HTTP remotos (1)iniciar peticiones arbitrarias a servidores de red interna, (2) leer o sobreescribir ficheros arbitrariamente a través de una redirección a un fichero: URL, o (3) ejecutar comando arbitrariamente a través de una redirección a un scp: URL. libcURL suffers from an arbitrary file access and creation vulnerability. • https://www.exploit-db.com/exploits/32834 http://curl.haxx.se/docs/adv_20090303.html http://curl.haxx.se/lxr/source/CHANGES http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00001.html http://lists.vmware.com/pipermail/security-announce/2009/000060.html http://secunia.com/advisories/34138 http://secunia.com/advisories/34202 http://secunia.com/advisories/34237 http://secunia.com/advisories • CWE-352: Cross-Site Request Forgery (CSRF) •