Comment by syrgian
5 years ago
If he's the one using cURL, does that mean that he is one of the kids in the phrase 'You built a formula 1 race car and tossed the keys to kids with ego problems.'?
5 years ago
If he's the one using cURL, does that mean that he is one of the kids in the phrase 'You built a formula 1 race car and tossed the keys to kids with ego problems.'?
cURL is a complex beast, it handles plenty of various network protocols, and does it in low-level c, therefore has a lot of potential for exploits if there is a bug like wrongly formatted strings, or buffer overflows. It's a nest for zero-days.
The code is available to anyone to look for such bugs, even the kids with ego problems (aka the hackers). Hackers like curl because it's a nice tool that indeed help them a lot.
Everyone uses curl, willingly or not, embedded by another library which needs some network protocol. Pass a filename that starts with "protocol://... " to any buggy program that will try to open it, and then one branch somewhere inside libcurl will get called. If you give the right magic string, you get a remote shell.