Vigil@nce - cURL: obtaining Cookies
April 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can create a site with a domain name matching the end
of another site, in order to force cURL to send its cookies.
Impacted products: cURL, Debian, Fedora, MBS, MES, RHEL
Severity: 2/4
Creation date: 12/04/2013
DESCRIPTION OF THE VULNERABILITY
The cURL application can store received HTTP cookies. These
cookies are then sent during the next query to the same site.
The tailmatch() function of the lib/cookie.c file compares names
of sites, to decide if cookies have to be sent. However, it
recognizes "http://example.com/" and "http://ple.com/" as beeing
the same sites. The "ple.com" site then receives cookies from
"example.com".
An attacker can therefore create a site with a domain name
matching the end of another site, in order to force cURL to send
its cookies.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/cURL-obtaining-Cookies-12664