mirror of
https://github.com/moparisthebest/curl
synced 2024-12-23 16:48:49 -05:00
libcurl-security.3: the http://192.168.0.1/my_router_config case
Mentioned-By: Rich Moore
This commit is contained in:
parent
03b7b2e8fc
commit
1e720400aa
@ -151,6 +151,11 @@ address and port number for a server local to the app running libcurl but
|
|||||||
behind a firewall. Applications can mitigate against this by using the
|
behind a firewall. Applications can mitigate against this by using the
|
||||||
\fICURLOPT_FTP_SKIP_PASV_IP(3)\fP option or \fICURLOPT_FTPPORT(3)\fP.
|
\fICURLOPT_FTP_SKIP_PASV_IP(3)\fP option or \fICURLOPT_FTPPORT(3)\fP.
|
||||||
|
|
||||||
|
Local servers sometimes assume local access comes from friends and trusted
|
||||||
|
users. An application that expects http://example.com/file_to_read that and
|
||||||
|
instead gets http://192.168.0.1/my_router_config might print a file that would
|
||||||
|
otherwise be protected by the firewall.
|
||||||
|
|
||||||
Allowing your application to connect to local hosts, be it the same machine
|
Allowing your application to connect to local hosts, be it the same machine
|
||||||
that runs the application or a machine on the same local network, might be
|
that runs the application or a machine on the same local network, might be
|
||||||
possible to exploit by an attacker who then perhaps can "port-scan" the
|
possible to exploit by an attacker who then perhaps can "port-scan" the
|
||||||
@ -303,7 +308,7 @@ enabled by applications that fail to properly validate server TLS/SSL
|
|||||||
certificates, thus enabling a malicious server to spoof a legitimate
|
certificates, thus enabling a malicious server to spoof a legitimate
|
||||||
one. HTTPS without validated certificates is potentially as insecure as a
|
one. HTTPS without validated certificates is potentially as insecure as a
|
||||||
plain HTTP connection.
|
plain HTTP connection.
|
||||||
.SH "Resport Security Problems"
|
.SH "Report Security Problems"
|
||||||
Should you detect or just suspect a security problem in libcurl or curl,
|
Should you detect or just suspect a security problem in libcurl or curl,
|
||||||
contact the project curl security team immediately. See the separate
|
contact the project curl security team immediately. See the separate
|
||||||
SECURITY.md document for details.
|
SECURITY.md document for details.
|
||||||
|
Loading…
Reference in New Issue
Block a user