moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-08-13 17:03:50 -04:00
Code Issues Releases Wiki Activity

libcurl-security.3: the http://192.168.0.1/my_router_config case

Browse Source 
Mentioned-By: Rich Moore
This commit is contained in:
Daniel Stenberg 2018-02-13 13:54:11 +01:00
parent 03b7b2e8fc
commit 1e720400aa
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/libcurl/libcurl-security.3
View File

@ -151,6 +151,11 @@ address and port number for a server local to the app running libcurl but
behind a firewall. Applications can mitigate against this by using the
\fICURLOPT_FTP_SKIP_PASV_IP(3)\fP option or \fICURLOPT_FTPPORT(3)\fP.
Local servers sometimes assume local access comes from friends and trusted
users. An application that expects http://example.com/file_to_read that and
instead gets http://192.168.0.1/my_router_config might print a file that would
otherwise be protected by the firewall.
Allowing your application to connect to local hosts, be it the same machine
that runs the application or a machine on the same local network, might be
possible to exploit by an attacker who then perhaps can "port-scan" the
@ -303,7 +308,7 @@ enabled by applications that fail to properly validate server TLS/SSL
certificates, thus enabling a malicious server to spoof a legitimate
one. HTTPS without validated certificates is potentially as insecure as a
plain HTTP connection.
.SH "Resport Security Problems"
.SH "Report Security Problems"
Should you detect or just suspect a security problem in libcurl or curl,
contact the project curl security team immediately. See the separate
SECURITY.md document for details.