Vulnerability Development mailing list archives
Re: cURL remote PoC for FBSD
From: Daniel Stenberg <daniel () haxx se>
Date: Tue, 7 May 2002 07:51:39 +0200 (MET DST)
On Sun, 5 May 2002, KF wrote: Hey, I am the curl maintainer and main author. Never seen this until now.
Here is some PoC code for the recent cURL overflows.
The *recent* overflow? You're referring to the buffer overflow reported on bugtraq October 13, 2000. I really can't see how this is recent in any way. This fix was corrected by Colin Robert Phipps and was committed to the curl CVS sources on October 12th, 2000. The fixed version was released on October 16th, 2000.
# Remote FreeBSD cURL exploit for versions 6.1 - 7.4
I don't believe 7.4 is vulnerable. Did you verify this? All the notes from 2000 says the fix is in 7.4.1, but I'll tell you what: the fix is in 7.4 too... (They were released with just a few hours interval due to some mistakes left in the makefiles of the 7.4 release.) Of course, this exploit rqeuires that someone runs a vulnerable curl on the site that runs this evil script. Cheers! -- Daniel Stenberg -- curl groks URLs -- http://curl.haxx.se/
Current thread:
- cURL remote PoC for FBSD KF (May 06)
- Re: cURL remote PoC for FBSD Daniel Stenberg (May 07)
- Re: cURL remote PoC for FBSD sm (May 07)
- Re: cURL remote PoC for FBSD KF (May 07)