Cool VL Viewer forum

View unanswered posts | View active topics It is currently 2024-03-28 20:12:24



Reply to topic  [ 4 posts ] 
libcurl security vulnerability 
Author Message

Joined: 2011-08-27 17:31:05
Posts: 98
Reply with quote
I just read about a security vulnerability in libcurl and although I'm not sure if this applies to the viewer, I thought I'd better mention it here just in case. With possible security vulnerabilities it's better safe than sorry...

http://blog.volema.com/curl-rce.html#.URTG72dsItU


2013-02-08 16:42:43
Profile

Joined: 2009-03-17 18:42:51
Posts: 5523
Reply with quote
It doesn't affect the viewer, because the latter only uses Curl for HTTP, not for SMTP, FTP, etc...


2013-02-08 19:42:49
Profile WWW

Joined: 2011-08-27 17:31:05
Posts: 98
Reply with quote
The article describes a scenario where a malicious webserver could return a relocation to a POP3 server. Like this:
Quote:
HTTP/1.0 302 Found
Location: pop3://x:x@evilserver.com/.

My understanding of the article is that that relocation would automatically be handled within libcurl...

Also from the article:
Quote:
Mitigation
We recommend to disable protocols other than HTTP(S) in your application using options CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS. libcurl version should be updated.

If the viewer is already using these options, then no need to worry. :)


2013-02-08 21:02:09
Profile

Joined: 2009-03-17 18:42:51
Posts: 5523
Reply with quote
Since libcurl is only used to access HTTP servers ran by LL (or the grid owner, for OpenSim grids), it is unlikely (possible on a hacked OpenSim grid, I suppose) that you will encounter such an exploit with the viewer... At worst, the exploit would make the viewer crash (since there is a crash handler in the viewer, there is no risk that such a crash could be exploited to gain access or run a virus, for example, not to mention that the latter would require to target a specific viewer build...).

I'd rather not rush into a "fix" to a highly hypothetical security hole, fix that would risk breaking everything else... So don't expect a fix for tomorrow's releases.


2013-02-08 21:30:31
Profile WWW
Display posts from previous:  Sort by  
Reply to topic   [ 4 posts ] 

Who is online

Users browsing this forum: No registered users and 27 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group
Designed by ST Software.