#include "_doctype.html" cURL - Security #include "css.t" #include "manpage.t" #define CURL_DOCS #define DOCS_SECURITY #define CURL_URL docs/security.html #include "_menu.html" #include "setup.t" WHERE2(Docs, "/docs/", Security) TITLE(curl Security) #include "adv-related-box.inc"

We take security seriously and develop curl and libcurl to be secure and safe.

If you find or simply suspect a security problem in curl or libcurl, mail us at curl-security at haxx.se (closed list of receivers, mails are not disclosed) and tell.

We appreciate getting notified in advance before you go public with security advisories for the sake of our users.

See also the Vulnerabilities Table to see what versions that are vulnerable to what flaws. SUBTITLE(libcurl cert name check ignore GnuTLS)

Date:December 17, 2013
IDCVE-2013-6422 (permalink)
Affected versionsfrom libcurl 7.21.4 to and including 7.33.0
Not affected versionslibcurl < 7.21.4 and >= 7.34.0
Patchcve-2013-6422.patch
Advisories Project cURL Security Advisory

libcurl is vulnerable to a case of missing out the checking of the certificate CN or SAN name field when the digital signature verification is turned off - when built to use GnuTLS.

libcurl offers two separate and independent options for verifying a server's TLS certificate. CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST. The first one tells libcurl to verify the trust chain using a CA cert bundle, while the second tells libcurl to make sure that the name fields in the server certificate meets the criteria. Both options are enabled by default.

This flaw had the effect that when an application disabled CURLOPT_SSL_VERIFYPEER, libcurl mistakenly also disabled the CURLOPT_SSL_VERIFYHOST check. Applications can disable CURLOPT_SSL_VERIFYPEER and still achieve security by doing the check on its own using other means. SUBTITLE(libcurl cert name check ignore OpenSSL)

Date:November 15, 2013
IDCVE-2013-4545 (permalink)
Affected versionsfrom libcurl 7.18.0 to and including 7.32.0
Not affected versionslibcurl < 7.18.0 and >= 7.33.0
Patchcommit 3c3622b6
Advisories Project cURL Security Advisory

libcurl is vulnerable to a case of missing out the checking of the certificate CN or SAN name field when the digital signature verification is turned off - when built to use OpenSSL.

libcurl offers two separate and independent options for verifying a server's TLS certificate. CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST. The first one tells libcurl to verify the trust chain using a CA cert bundle, while the second tells libcurl to make sure that the name fields in the server certificate meets the criteria. Both options are enabled by default.

This flaw had the effect that when an application disabled CURLOPT_SSL_VERIFYPEER, libcurl mistakenly also disabled the CURLOPT_SSL_VERIFYHOST check. Applications can disable CURLOPT_SSL_VERIFYPEER and still achieve security by doing the check on its own using other means. SUBTITLE(libcurl URL decode buffer boundary flaw)

Date:June 22, 2013
IDCVE-2013-2174 (permalink)
Affected versionsfrom libcurl 7.7 to and including 7.30.0
Not affected versionslibcurl < 7.7 and >= 7.31.0
Patchcurl-unescape.patch
Advisories Project cURL Security Advisory

The function curl_easy_unescape() decodes URL encoded strings to raw binary data. URL encoded octets are represented with %HH combinations where HH is a two-digit hexadecimal number. The decoded string is written to an allocated memory area that the function returns to the caller.

When provided a buffer limited by a length, and said input buffer ends within hex triplet, libcurl would still parse the rest of the hex number and could then overwrite heap memory. SUBTITLE(libcurl cookie domain tailmatch)

Date:April 12, 2013
IDCVE-2013-1944 (permalink)
Affected versionsall versions, to and including 7.29.0
Not affected versions>= 7.23.0
Patchcurl-tailmatch.patch
Advisories Project cURL Security Advisory

When communicating over HTTP(S) and having libcurl's cookie engine enabled, libcurl will store and hold cookies for use when subsequent requests are done to hosts and paths that match those kept cookies. Due to a bug in the tailmatching function, libcurl could wrongly send cookies meant for the domain ample.com when communicating with example.com. SUBTITLE(libcurl SASL buffer overflow vulnerability)

Date:February 6, 2013
IDCVE-2013-0249 (permalink)
Affected versions7.26.0 to and including 7.28.1
Not affected versions< 7.26.0 and >= 7.29.0
PatchCurl_sasl_create_digest_md5_message-fix-buffer-overf.patch
Advisories Project cURL Security Advisory, Volema's description, securityfocus

When negotiating SASL DIGEST-MD5 authentication, the function Curl_sasl_create_digest_md5_message() uses the data provided from the server without doing the proper length checks and that data is then appended to a local fixed-size buffer on the stack. SUBTITLE(curl SSL CBC IV vulnerability)

Date:January 24, 2012
ID (permalink)
Affected versions7.10.6 to and including 7.23.1
Not affected versions< 7.10.6 and >= 7.24.0
Patchcurl-dont-insert-empty-fragments.patch
Advisories Project cURL Security Advisory

When built to use OpenSSL, curl would wrongly disable the workaround for SSL weaknesses in SSL3.0 and TLS1.0. SUBTITLE(curl URL sanitization vulnerability)

Date:January 24, 2012
IDCVE-2012-0036 (permalink)
Affected versions7.20.0 to and including 7.23.1
Not affected versions< 7.20.0 and >= 7.24.0
Patchcurl-url-sanitize.patch
Advisories Project cURL Security Advisory

When using URLs for the protocols IMAP, POP3 or SMTP curl wouldn't properly sanitize data passed in, which would allow users to cause malice by embedding url encoded control characters. SUBTITLE(libcurl inappropriate GSSAPI delegation)

Date:June 23, 2011
IDCVE-2011-2192 (permalink)
Affected versions7.10.6 to and including 7.21.6
Not affected versions<= 7.10.5 and >= 7.21.7
Patchcurl-gssapi-delegation.patch
Advisories Project cURL Security Advisory

When doing GSSAPI authentication, libcurl unconditionally performs credential delegation. This hands the server a copy of the client's security credentials, allowing the server to impersonate the client to any other using the same GSSAPI mechanism. This is obviously a very sensitive operation, which should only be done when the user explicitly so directs.

The GSS/Negotiate feature is only used by libcurl for HTTP authentication if told to, and only if libcurl was built with a library that provides the GSSAPI. Many builds of libcurl don't have GSS enabled. SUBTITLE(curl local file overwrite)

Date:October 13, 2010
IDCVE-2010-3842 (permalink)
Affected versions7.20.0 to and including 7.21.1
Not affected versions<= 7.20.0 and >= 7.21.2
Patchcurl-content-disposition.patch
Advisories Project cURL Security Advisory

curl offers a command line option --remote-header-name (also usable as -J) which will use the file name of the Content-disposition: header when it saves the downloaded data locally.

curl attempts to cut off the directory parts from any given file name in the header to only store files in the current directory. It will overwrite a local file using the same name as the header specifies.

The stripping of the directory did not take backslashes into account. SUBTITLE(libcurl data callback excessive length)

Date:February 9, 2010
IDCVE-2010-0734 (permalink)
Affected versions7.10.5 to and including 7.19.7
Not affected versions<= 7.10.4 and >= 7.20.0
Patchlibcurl-contentencoding.patch
Advisories Project cURL Security Advisory

When downloading compressed content over HTTP and the app as asked libcurl to automatically uncompress it with the CURLOPT_ENCODING option, libcurl could wrongly provide the callback with more data than what the maximum documented amount. An application could thus get tricked into badness if the maximum limit was trusted to be enforced by libcurl itself (as it is documented). SUBTITLE(libcurl embedded zero in cert name)

Date:August 12, 2009
ID CVE-2009-2417 (permalink)
Affected versions7.4 to and including 7.19.5
Not affected versions7.19.6 and later
Patchescurl.haxx.se/CVE-2009-2417
Advisories Project cURL Security Advisory

SSL and TLS Server certificates contain one or more fields with server name or otherwise matching patterns. These strings are stored as content and length within the certificate, and thus there is no particular terminating character.

curl's OpenSSL interfacing code did faulty assumptions about those names and patterns being zero terminated, allowing itself to be fooled in case a certificate would get a zero byte embedded into one of the name fields. To illustrate, a name that would show this vulnerability could look like:

    "example.com\0.haxx.se"

This cert is thus made for "haxx.se" but curl would erroneously verify it with no complaints for "example.com".

According to a recently published presentation, this kind of zero embedding has been proven to be possible with at least one CA. SUBTITLE(libcurl Arbitrary File Access)

Date:March 3, 2009
ID CVE-2009-0037 (permalink)
Affected versions5.11 to and including 7.19.3
Not affected versions5.10 and earlier, 7.19.4 and later
Patchescurl.haxx.se/CVE-2009-0037
Advisories Project cURL Security Advisory

When told to follow a "redirect" automatically, libcurl does not question the new target URL but will follow to any new URL that it understands. As libcurl supports FILE:// URLs, a rogue server can thus "trick" a libcurl-using application to read a local file instead of the remote one.

This is a problem, for example, when the application is running on a server and is written to upload or to otherwise provide the transfered data to a user, to another server or to another application etc, as it can be used to expose local files it was not meant to.

The problem can also be exploited for uploading, if the rogue server redirects the client to a local file and thus it would (over)write a local file instead of sending it to the server.

libcurl compiled to support SCP can get tricked to get a file using embedded semicolons, which can lead to execution of commands on the given server. "Location: scp://name:passwd@host/a'``;date >/tmp/test``;'".

Files on servers other than the one running libcurl are also accessible when credentials for those servers are stored in the .netrc file of the user running libcurl. This is most common for FTP servers, but can occur with any protocol supported by libcurl. Files on remote SSH servers are also accessible when the user has an unencrypted SSH key. SUBTITLE(libcurl GnuTLS insufficient cert verification)

Date:July 10, 2007
ID BID 24938 #if 0 SA19271 #endif CVE-2007-3564 (permalink)
Affected versions7.14.0 to and including 7.16.3
Not affected versions7.13.2 and earlier, 7.16.4 and later
Patchlibcurl-gnutlscert.patch
Advisories Project cURL Security Advisory

libcurl (when built to use GnuTLS) fails to verify that a peer's certificate hasn't already expired or hasn't yet become valid. This allows malicious servers to present certificates to libcurl that won't be rejected properly.

Notably, the cacert and common name checks are still in place which reduces the risk for random servers to take advantage of this flaw. SUBTITLE(libcurl TFTP Packet Buffer Overflow)

Date:March 20, 2006
ID BID 17154 SA19271 CVE-2006-1061 (permalink)
Affected versions7.15.0 to and including 7.15.2
Not affected versions7.14.1 and earlier, 7.15.3 and later
Patchlibcurl-tftp.patch
Advisories Project cURL Security Advisory

libcurl uses the given file part of a TFTP URL in a manner that allows a malicious user to overflow a heap-based memory buffer due to the lack of boundary check. SUBTITLE(libcurl URL Buffer Overflow)

Date:December 7, 2005
IDBID 15756 SA17907 CVE-2005-4077 (permalink)
Affected versions7.11.2 to and including 7.15.0
Not affected versions7.11.1 and earlier, 7.15.1 and later
Patchlibcurl-urllen.patch (Note: for 7.14.0 and earlier the patch MUST be made to do +3 and not just +2.
Advisories Project cURL Security Advisory Hardened-PHP Advisory

libcurl's URL parser function can overflow a malloced buffer in two ways, if given a too long URL. SUBTITLE(libcurl NTLM Buffer Overflow)

Date:October 13, 2005
IDBID 15102 CAN-2005-3185 (permalink)
Affected versions7.10.6 to and including 7.14.1
Not affected versions7.10.5 and earlier, 7.15.0 and later
Patchlibcurl-ntlmbuf.patch
AdvisoriesProject cURL Security Advisory, iDEFENSE's advisory

libcurl's NTLM function can overflow a stack-based buffer if given a too long user name or domain name. This would happen if you enable NTLM authentication and either:

  1. pass in a user name and domain name to libcurl that together are longer than 192 bytes
  2. allow (lib)curl to follow HTTP "redirects" (Location: and the appropriate HTTP 30x response code) and the new URL contains a URL with a user name and domain name that together are longer than 192 bytes

There is no known exploit/malicious server at the time of this writing.

The notification mail to us about this flaw was also sent to a public wget mailing list and thus became public immediately. SUBTITLE(Kerberos Authentication Buffer Overflow)

Date:February 21, 2005
IDBID 12616 CAN-2005-0490 (permalink)
Affected versions7.3 to and including 7.13.0
Not affected versions7.13.1 and later
AdvisoriesiDEFENSE's advisory

Due to bad usage of the base64 decode function to a stack-based buffer without checking the data length, it was possible for a malicious FTP server to overflow the client during krb4 negotiation. I don't know of any single user that uses krb4-ftp and I'm not even sure it still works 100%. The announcement was done without contacting us. SUBTITLE(NTLM Authentication Buffer Overflow)

Date:February 21, 2005
IDBID 12615 CAN-2005-0490 (permalink)
Affected versions7.10.6 to and including 7.13.0
Not affected versions7.13.1 and later
AdvisoriesiDEFENSE's advisory

Due to bad usage of the base64 decode function to a stack-based buffer without checking the data length, it was possible for a malicious HTTP server to overflow the client during NTLM negotiation. The announcement was done without contacting us. SUBTITLE(Proxy Authentication Header Information Leakage)

Date:August 3, 2003
IDBID 8432 (permalink)
Affected versions7.1 to and including 7.10.6
Not affected versions7.10.7 and later

When curl connected to a site via an HTTP proxy with the CONNECT request, the user and password used for the proxy connection was also sent off to the remote server. SUBTITLE(FTP Server Response Buffer Overflow)
Date:October 13, 2000
ID BID 1804 CVE-2000-0973 (permalink)
Affected versions6.0 (and possibly earlier) to and including 7.4
Not affected versions7.4.1 and later

When storing an FTP server's error message on failure, there was no check for input length and thus a malicious FTP server could overflow curl's stack based buffer. securityfocus lists two exploits #include "_footer.html"