ID CVE-2005-4077
Summary Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 through 7.15.0 allow local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs that (1) are malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer, or (2) contain a "?" separator in the hostname portion, which causes a "/" to be prepended to the resulting string.
References
Vulnerable Configurations
  • cpe:2.3:a:daniel_stenberg:curl:7.11.2
    cpe:2.3:a:daniel_stenberg:curl:7.11.2
  • cpe:2.3:a:daniel_stenberg:curl:7.12
    cpe:2.3:a:daniel_stenberg:curl:7.12
  • cpe:2.3:a:daniel_stenberg:curl:7.12.1
    cpe:2.3:a:daniel_stenberg:curl:7.12.1
  • cpe:2.3:a:daniel_stenberg:curl:7.12.2
    cpe:2.3:a:daniel_stenberg:curl:7.12.2
  • cpe:2.3:a:daniel_stenberg:curl:7.12.3
    cpe:2.3:a:daniel_stenberg:curl:7.12.3
  • cpe:2.3:a:daniel_stenberg:curl:7.13
    cpe:2.3:a:daniel_stenberg:curl:7.13
  • cpe:2.3:a:daniel_stenberg:curl:7.13.1
    cpe:2.3:a:daniel_stenberg:curl:7.13.1
  • cpe:2.3:a:daniel_stenberg:curl:7.13.2
    cpe:2.3:a:daniel_stenberg:curl:7.13.2
  • cpe:2.3:a:daniel_stenberg:curl:7.14
    cpe:2.3:a:daniel_stenberg:curl:7.14
  • cpe:2.3:a:daniel_stenberg:curl:7.14.1
    cpe:2.3:a:daniel_stenberg:curl:7.14.1
  • cpe:2.3:a:daniel_stenberg:curl:7.15
    cpe:2.3:a:daniel_stenberg:curl:7.15
CVSS
Base: 4.6 (as of 07-12-2005 - 22:18)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-224.NASL
    description Stefan Esser discovered that libcurl's URL parser function can have a malloced buffer overflows in two ways if given a too long URL. It cannot be triggered by a redirect, which makes remote exploitation unlikely, but can be passed directly to libcurl (allowing for local exploitation) and could also be used to break out of PHP's safe_mode/ open_basedir. This vulnerability only exists in libcurl and curl 7.11.2 up to and including 7.15.0, which means that Corporate Server 2.1 and Corporate 3.0 are not vulnerable. The updated packages have been patched to correct the problem. As well, updated php-curl packages are available that provide a new curl PHP module compiled against the fixed code.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20455
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20455
    title Mandrake Linux Security Advisory : curl (MDKSA-2005:224)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-875.NASL
    description Updated curl packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. Stefan Esser discovered an off-by-one bug in curl. It may be possible to execute arbitrary code on a user's machine if the user can be tricked into executing curl with a carefully crafted URL. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-4077 to this issue. All users of curl are advised to upgrade to these updated packages, which contain a backported patch that resolves this issue.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 20364
    published 2005-12-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20364
    title RHEL 4 : curl (RHSA-2005:875)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-919.NASL
    description The upstream developer of curl, a multi-protocol file transfer library, informed us that the former correction to several off-by-one errors are not sufficient. For completeness please find the original bug description below : Several problems were discovered in libcurl, a multi-protocol file transfer library. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-3185 A buffer overflow has been discovered in libcurl that could allow the execution of arbitrary code. - CVE-2005-4077 Stefan Esser discovered several off-by-one errors that allows local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 22785
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22785
    title Debian DSA-919-2 : curl - buffer overflow
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200603-25.NASL
    description The remote host is affected by the vulnerability described in GLSA-200603-25 (OpenOffice.org: Heap overflow in included libcurl) OpenOffice.org includes libcurl code. This libcurl code is vulnerable to a heap overflow when it tries to parse a URL that exceeds a 256-byte limit (GLSA 200512-09). Impact : An attacker could entice a user to call a specially crafted URL with OpenOffice.org, potentially resulting in the execution of arbitrary code with the rights of the user running the application. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 21160
    published 2006-03-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21160
    title GLSA-200603-25 : OpenOffice.org: Heap overflow in included libcurl
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200512-09.NASL
    description The remote host is affected by the vulnerability described in GLSA-200512-09 (cURL: Off-by-one errors in URL handling) Stefan Esser from the Hardened-PHP Project has reported a vulnerability in cURL that allows for a local buffer overflow when cURL attempts to parse specially crafted URLs. The URL can be specially crafted in one of two ways: the URL could be malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer; or the URL could contain a '?' separator in the hostname portion, which causes a '/' to be prepended to the resulting string. Impact : An attacker capable of getting cURL to parse a maliciously crafted URL could cause a denial of service or execute arbitrary code with the privileges of the user making the call to cURL. An attacker could also escape open_basedir or safe_mode pseudo-restrictions when exploiting this problem from within a PHP program when PHP is compiled with libcurl. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 20329
    published 2005-12-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20329
    title GLSA-200512-09 : cURL: Off-by-one errors in URL handling
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-228-1.NASL
    description Stefan Esser discovered several buffer overflows in the handling of URLs. By attempting to load an URL with a specially crafted invalid hostname, a local attacker could exploit this to execute arbitrary code with the privileges of the application that uses the cURL library. It is not possible to trick cURL into loading a malicious URL with an HTTP redirect, so this vulnerability was usually not exploitable remotely. However, it could be exploited locally to e. g. circumvent PHP security restrictions. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-05-26
    plugin id 20771
    published 2006-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20771
    title Ubuntu 4.10 / 5.04 / 5.10 : curl vulnerability (USN-228-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-875.NASL
    description Updated curl packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. Stefan Esser discovered an off-by-one bug in curl. It may be possible to execute arbitrary code on a user's machine if the user can be tricked into executing curl with a carefully crafted URL. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-4077 to this issue. All users of curl are advised to upgrade to these updated packages, which contain a backported patch that resolves this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21973
    published 2006-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21973
    title CentOS 4 : curl (CESA-2005:875)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2006-003.NASL
    description The remote host is running Apple Mac OS X, but lacks Security Update 2006-003. This security update contains fixes for the following applications : AppKit ImageIO BOM CFNetwork ClamAV (Mac OS X Server only) CoreFoundation CoreGraphics Finder FTPServer Flash Player KeyCHain LaunchServices libcurl Mail MySQL Manager (Mac OS X Server only) Preview QuickDraw QuickTime Streaming Server Ruby Safari
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 21341
    published 2006-05-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21341
    title Mac OS X Multiple Vulnerabilities (Security Update 2006-003)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2005-1129.NASL
    description This package fixes a security buffer overflow bug in URL authentication code of curl (CVE-2005-4077). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20289
    published 2005-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20289
    title Fedora Core 4 : curl-7.13.1-4.fc4 (2005-1129)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_9B4FACEC676111DA99F600123FFE8333.NASL
    description A Project cURL Security Advisory reports : libcurl's URL parser function can overflow a malloced buffer in two ways, if given a too long URL. 1 - pass in a URL with no protocol (like 'http://') prefix, using no slash and the string is 256 bytes or longer. This leads to a single zero byte overflow of the malloced buffer. 2 - pass in a URL with only a question mark as separator (no slash) between the host and the query part of the URL. This leads to a single zero byte overflow of the malloced buffer. Both overflows can be made with the same input string, leading to two single zero byte overwrites. The affected flaw cannot be triggered by a redirect, but the long URL must be passed in 'directly' to libcurl. It makes this a 'local' problem. Of course, lots of programs may still pass in user-provided URLs to libcurl without doing much syntax checking of their own, allowing a user to exploit this vulnerability.
    last seen 2019-02-21
    modified 2018-12-19
    plugin id 21483
    published 2006-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21483
    title FreeBSD : curl -- URL buffer overflow vulnerability (9b4facec-6761-11da-99f6-00123ffe8333)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2008-002.NASL
    description The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have the security update 2008-002 applied. This update contains several security fixes for a number of programs.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 31605
    published 2008-03-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31605
    title Mac OS X Multiple Vulnerabilities (Security Update 2008-002)
oval via4
accepted 2013-04-29T04:09:24.402-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 through 7.15.0 allow local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs that (1) are malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer, or (2) contain a "?" separator in the hostname portion, which causes a "/" to be prepended to the resulting string.
family unix
id oval:org.mitre.oval:def:10855
status accepted
submitted 2010-07-09T03:56:16-04:00
title Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 through 7.15.0 allow local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs that (1) are malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer, or (2) contain a "?" separator in the hostname portion, which causes a "/" to be prepended to the resulting string.
version 23
redhat via4
advisories
rhsa
id RHSA-2005:875
refmap via4
apple
  • APPLE-SA-2006-05-11
  • APPLE-SA-2008-03-18
bid
  • 15756
  • 17951
bugtraq 20051207 Advisory 24/2005: libcurl URL parsing vulnerability
cert TA06-132A
confirm
debian DSA-919
fedora FEDORA-2005-1129
gentoo
  • GLSA-200512-09
  • GLSA-200603-25
mandriva MDKSA-2005:224
misc
sco SCOSA-2006.16
secunia
  • 17907
  • 17960
  • 17961
  • 17965
  • 17977
  • 18105
  • 18188
  • 18336
  • 19261
  • 19433
  • 19457
  • 20077
trustix TSLSA-2005-0072
ubuntu USN-228-1
vupen
  • ADV-2005-2791
  • ADV-2006-0960
  • ADV-2006-1779
  • ADV-2008-0924
Last major update 08-09-2011 - 00:00
Published 07-12-2005 - 20:03
Last modified 19-10-2018 - 11:40
Back to Top