one of the most common security reports we get in #curl is claims of various CRLF injections where a user injects a CRLF into their own command lines and that's apparently "an attack".
We have documented this risk if you pass in junk in curl options but that doesn't stop the reporters from reporting this to us. Over and over.
Here's a recent one.
curl disclosed on HackerOne: SMTP CRLF Injection in curl/libcurl...
SMTP CRLF Injection Vulnerability in curl/libcurl ## Vulnerability ID: CURL-SMTP-CRLF-2024 ## CWE-93: Improper Neutralization of CRLF Sequences ### Executive Summary curl/libcurl contains a CRLF...HackerOne
This entry was edited (1 month ago)
João Santos
in reply to daniel:// stenberg:// • • •Adam Katz
in reply to daniel:// stenberg:// • • •SMTP Smuggling - Spoofing E-Mails Worldwide
SEC Consult Unternehmensberatung GmbHRon Bowes
in reply to daniel:// stenberg:// • • •nilclass
in reply to daniel:// stenberg:// • • •I found that if I pass the URL of a website to curl, and the website contains private information, it prints private data to my terminal, which is clearly a GDPR violation!
/s
Multi
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Multi • • •xinit ☕
in reply to daniel:// stenberg:// • • •