Vigil@nce - cURL: re-use of non HTTP/FTP connection
April 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
In some cases, an application compiled with libcurl and not using
HTTP/FTP can access to data belonging to another user.
– Impacted products: cURL, Fedora, Slackware
– Severity: 2/4
– Creation date: 26/03/2014
DESCRIPTION OF THE VULNERABILITY
The cURL product supports protocols distinct from HTTP and FTP:
SCP, SFTP, POP3(S), IMAP(S), SMTP(S) and LDAP(S).
In order to optimize its performances, libcurl uses a pool to
store its recent connections. However, after a first non HTTP/FTP
query, if the second query uses a new login, the memorized
connection is reused. In this case, authentication data of the
first query are thus used for the second query.
In some cases, an application compiled with libcurl and not using
HTTP/FTP can therefore access to data belonging to another user.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/cURL-re-use-of-non-HTTP-FTP-connection-14473