"#curl working as intended is a vulnerability"
Ok I paraphrased the title but this onslaught is a bit exhausting...
curl disclosed on HackerOne: Arbitrary Configuration File...
## Summary: The Arbitrary Configuration File Inclusion (ACFI) vulnerability was identified in the curl utility via the --config option. This flaw is a form of External Control of File Name...HackerOne
The Psychotic Network Ferret
in reply to daniel:// stenberg:// • • •Sensitive content
Peter Bindels
in reply to daniel:// stenberg:// • • •Dan Sugalski
in reply to daniel:// stenberg:// • • •Mark Schütte
in reply to daniel:// stenberg:// • • •Niels K.
in reply to daniel:// stenberg:// • • •Andrea Corbellini
in reply to daniel:// stenberg:// • • •I don't quite understand why you don't give up on hackerone.
A company I used to work for was using hackerone and the amount of garbage reports that we were receiving was simply unsustainable. After we switched to email, things became way better.
Colin McMillen
in reply to daniel:// stenberg:// • • •The demo leaves me baffled.
echo 'url = "file:///etc/passwd"' > /tmp/malicious.curlrc
echo 'output = "/tmp/stolen_passwd.txt"' >> /tmp/malicious.curlrc
curl --config /tmp/malicious.curlrc
cat /tmp/stolen_passwd.txt
Seems like cat /etc/passwd with extra steps
Alerta! Alerta!
in reply to daniel:// stenberg:// • • •petterroea
in reply to daniel:// stenberg:// • • •snim2
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to snim2 • • •snim2
in reply to daniel:// stenberg:// • • •Sthorm
in reply to daniel:// stenberg:// • • •tekhedd
in reply to daniel:// stenberg:// • • •Holy crap! Don't you see what this means? That by supplying curl a config file path via its "config file path" option, we can trick curl into opening a config file AT THAT PATH.
#diabolical