Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

wrong facts about curl exploit

From: Daniel Stenberg <daniel () HAXX SE>
Date: Sun, 22 Oct 2000 10:32:54 +0200
Hi

I am the main author of curl, the tool that appeared in the Remote Buffer
Overflow Vulnerability reported on October 13th at

        http://www.securityfocus.com/bid/1804

... the information and discussion are accurate, to the point and describes
the problem (even if somewhat unspecific). However, what is bothering me:

        The described exploit is *entirely* wrong!

The described exploit is a) not a remote buffer overflow b) not at all
present in all those versions listed in the advisory. c) hardly an exploit
since it just crashes older versions of the appliction.

There's a "buffer overflow" example posted in the curl bug report system that
would make a far better (and correct) example of how to crash curl using the
posted flaw.

I'd be happy to answer to any questions regarding this matter, and I would
like to see that section of the advisory corrected.

Thanks for an utterly important and useful service!

--
  Daniel Stenberg -- curl project maintainer -- http://curl.haxx.se/
Previous By Date Next
Previous By Thread Next

Current thread: