a new version of the utility for receiving and sending data over the network - , which provides the ability to generate a flexible request with the setting of parameters such as cookie, user_agent, referer, and any other headers. cURL supports HTTP, HTTPS, HTTP/2.0, HTTP/3, SMTP, IMAP, POP3, Telnet, FTP, LDAP, RTSP, RTMP and other network protocols. At the same time, an update was released for the parallel developed libcurl library, which provides an API for enabling all curl functions in programs in languages ββsuch as C, Perl, PHP, Python.
The new release adds the "--retry-all-errors" option to retry operations when any errors occur, and fixes two vulnerabilities:
- allows you to overwrite a local file in the system when accessing a controlled attacking server. The problem only occurs when using the "-J" ("--remote-header-name") and "-i" ("--head") options at the same time. The "-J" option allows you to save the file with the name specified in the header
"Content-Disposition". If a file with the same name already exists, the curl program normally refuses to overwrite, but if the "-i" option is present, the check logic is violated and the file is overwritten (the check is performed at the stage of receiving the response body, but with the "-i" option HTTP headers are displayed first and they have time to be saved before the response body is processed). Only HTTP headers are written to the file, but the server can give arbitrary data instead of headers and they will be written. - may lead to a leak to the DNS server of some of the passwords for accessing the site (Basic, Digest, NTLM, etc.). When using the "@" character in the password, which is also used as the password separator in the URL, when an HTTP redirect is triggered, curl will send the part of the password after the "@" character along with the domain to resolve the name. For example, given the password "passw@rd123" and the username "dan", curl will generate the URL "https://dan:passw@[email protected]/path" instead of "https://dan:passw%[email protected]/path" and send a request to resolve the host "[email protected]" instead of "example.com".
The problem manifests itself when support for relative HTTP redirectors is enabled (disabled via CURLOPT_FOLLOWLOCATION). In the case of using traditional DNS, information about part of the password can be found out by the DNS provider and the attacker, who is able to intercept transit network traffic (even if the original request was via HTTPS, since DNS traffic is not encrypted). With DNS-over-HTTPS (DoH), leakage is limited by the DoH operator.
Source: opennet.ru