CVE-2013-1944 Information

Description

The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies which allows remote attackers to steal cookies via a matching suffix in the domain of a URL.

Reference

http://curl.haxx.se/docs/adv_20130412.html http://curl.haxx.se/docs/adv_20130412.html http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102056.html http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102711.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104207.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104598.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105539.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106606.html http://lists.opensuse.org/opensuse-updates/2013-06/msg00013.html http://lists.opensuse.org/opensuse-updates/2013-06/msg00016.html http://rhn.redhat.com/errata/RHSA-2013-0771.html http://secunia.com/advisories/53044 http://secunia.com/advisories/53051 http://secunia.com/advisories/53097 http://www.debian.org/security/2012/dsa-2660 http://www.mandriva.com/security/advisories?name=MDVSA-2013:151 http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html http://www.osvdb.org/92316 http://www.securityfocus.com/bid/59058 http://www.ubuntu.com/usn/USN-1801-1 https://bugzilla.redhat.com/show_bug.cgi?id=950577 https://github.com/bagder/curl/commit/2eb8dcf26cb37f09cffe26909a646e702dbcab66 https://github.com/bagder/curl/commit/2eb8dcf26cb37f09cffe26909a646e702dbcab66 https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0121 The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies which allows remote attackers to steal cookies via a matching suffix in the domain of a URL. cpe:2.3:a:haxx:curl:6.0:::::::* cpe:2.3:a:haxx:curl:6.1:::::::* cpe:2.3:a:haxx:curl:6.1:beta:::::: cpe:2.3:a:haxx:curl:6.2:::::::* cpe:2.3:a:haxx:curl:6.3:::::::* cpe:2.3:a:haxx:curl:6.3.1:::::::* cpe:2.3:a:haxx:curl:6.4:::::::* cpe:2.3:a:haxx:curl:6.5:::::::* cpe:2.3:a:haxx:curl:6.5.1:::::::* cpe:2.3:a:haxx:curl:6.5.2:::::::* cpe:2.3:a:haxx:curl:7.1:::::::* cpe:2.3:a:haxx:curl:7.1.1:::::::* cpe:2.3:a:haxx:curl:7.2:::::::* cpe:2.3:a:haxx:curl:7.2.1:::::::* cpe:2.3:a:haxx:curl:7.3:::::::* cpe:2.3:a:haxx:curl:7.4:::::::* cpe:2.3:a:haxx:curl:7.4.1:::::::* cpe:2.3:a:haxx:curl:7.4.2:::::::* cpe:2.3:a:haxx:curl:7.5.1:::::::* cpe:2.3:a:haxx:curl:7.5.2:::::::* cpe:2.3:a:haxx:curl:7.6:::::::* cpe:2.3:a:haxx:curl:7.6.1:::::::* cpe:2.3:a:haxx:curl:7.7:::::::* cpe:2.3:a:haxx:curl:7.7.1:::::::* cpe:2.3:a:haxx:curl:7.7.2:::::::* cpe:2.3:a:haxx:curl:7.7.3:::::::* cpe:2.3:a:haxx:curl:7.8:::::::* cpe:2.3:a:haxx:curl:7.8.1:::::::* cpe:2.3:a:haxx:curl:7.9:::::::* cpe:2.3:a:haxx:curl:7.9.1:::::::* cpe:2.3:a:haxx:curl:7.9.2:::::::* cpe:2.3:a:haxx:curl:7.9.3:::::::* cpe:2.3:a:haxx:curl:7.9.4:::::::* cpe:2.3:a:haxx:curl:7.9.5:::::::* cpe:2.3:a:haxx:curl:7.9.6:::::::* cpe:2.3:a:haxx:curl:7.9.7:::::::* cpe:2.3:a:haxx:curl:7.9.8:::::::* cpe:2.3:a:haxx:curl:7.10:::::::* cpe:2.3:a:haxx:curl:7.10.1:::::::* cpe:2.3:a:haxx:curl:7.10.2:::::::* cpe:2.3:a:haxx:curl:7.10.3:::::::* cpe:2.3:a:haxx:curl:7.10.4:::::::* cpe:2.3:a:haxx:curl:7.10.5:::::::* cpe:2.3:a:haxx:curl:7.10.6:::::::* cpe:2.3:a:haxx:curl:7.10.7:::::::* cpe:2.3:a:haxx:curl:7.10.8:::::::* cpe:2.3:a:haxx:curl:7.11.0:::::::* cpe:2.3:a:haxx:curl:7.11.1:::::::* cpe:2.3:a:haxx:curl:7.11.2:::::::* cpe:2.3:a:haxx:curl:7.12.0:::::::* cpe:2.3:a:haxx:curl:7.12.1:::::::* cpe:2.3:a:haxx:curl:7.12.2:::::::* cpe:2.3:a:haxx:curl:7.12.3:::::::* cpe:2.3:a:haxx:curl:7.13.0:::::::* cpe:2.3:a:haxx:curl:7.13.1:::::::* cpe:2.3:a:haxx:curl:7.13.2:::::::* cpe:2.3:a:haxx:curl:7.14.0:::::::* cpe:2.3:a:haxx:curl:7.14.1:::::::* cpe:2.3:a:haxx:curl:7.15.0:::::::* cpe:2.3:a:haxx:curl:7.15.1:::::::* cpe:2.3:a:haxx:curl:7.15.2:::::::* cpe:2.3:a:haxx:curl:7.15.3:::::::* cpe:2.3:a:haxx:curl:7.15.4:::::::* cpe:2.3:a:haxx:curl:7.15.5:::::::* cpe:2.3:a:haxx:curl:7.16.0:::::::* cpe:2.3:a:haxx:curl:7.16.1:::::::* cpe:2.3:a:haxx:curl:7.16.2:::::::* cpe:2.3:a:haxx:curl:7.16.3:::::::* cpe:2.3:a:haxx:curl:7.16.4:::::::* cpe:2.3:a:haxx:curl:7.17.0:::::::* cpe:2.3:a:haxx:curl:7.17.1:::::::* cpe:2.3:a:haxx:curl:7.18.0:::::::* cpe:2.3:a:haxx:curl:7.18.1:::::::* cpe:2.3:a:haxx:curl:7.18.2:::::::* cpe:2.3:a:haxx:curl:7.19.0:::::::* cpe:2.3:a:haxx:curl:7.19.1:::::::* cpe:2.3:a:haxx:curl:7.19.2:::::::* cpe:2.3:a:haxx:curl:7.19.3:::::::* cpe:2.3:a:haxx:curl:7.19.4:::::::* cpe:2.3:a:haxx:curl:7.19.5:::::::* cpe:2.3:a:haxx:curl:7.19.6:::::::* cpe:2.3:a:haxx:curl:7.19.7:::::::* cpe:2.3:a:haxx:curl:7.20.0:::::::* cpe:2.3:a:haxx:curl:7.20.1:::::::* cpe:2.3:a:haxx:curl:7.21.0:::::::* cpe:2.3:a:haxx:curl:7.21.1:::::::* cpe:2.3:a:haxx:curl:7.21.2:::::::* cpe:2.3:a:haxx:curl:7.21.3:::::::* cpe:2.3:a:haxx:curl:7.21.4:::::::* cpe:2.3:a:haxx:curl:7.21.5:::::::* cpe:2.3:a:haxx:curl:7.21.6:::::::* cpe:2.3:a:haxx:curl:7.21.7:::::::* cpe:2.3:a:haxx:curl:7.22.0:::::::* cpe:2.3:a:haxx:curl:7.23.0:::::::* cpe:2.3:a:haxx:curl:7.23.1:::::::* cpe:2.3:a:haxx:curl:7.24.0:::::::* cpe:2.3:a:haxx:curl:7.25.0:::::::* cpe:2.3:a:haxx:curl:7.26.0:::::::* cpe:2.3:a:haxx:curl:7.27.0:::::::* cpe:2.3:a:haxx:curl:7.28.0:::::::* cpe:2.3:a:haxx:curl:7.28.1:::::::* cpe:2.3:a:haxx:curl:::::::: cpe:2.3:a:haxx:libcurl:7.14.0:::::::* cpe:2.3:a:haxx:libcurl:7.14.1:::::::* cpe:2.3:a:haxx:libcurl:7.15.0:::::::* cpe:2.3:a:haxx:libcurl:7.15.1:::::::* cpe:2.3:a:haxx:libcurl:7.15.2:::::::* cpe:2.3:a:haxx:libcurl:7.15.3:::::::* cpe:2.3:a:haxx:libcurl:7.15.4:::::::* cpe:2.3:a:haxx:libcurl:7.15.5:::::::* cpe:2.3:a:haxx:libcurl:7.16.0:::::::* cpe:2.3:a:haxx:libcurl:7.16.2:::::::* cpe:2.3:a:haxx:libcurl:7.16.3:::::::* cpe:2.3:a:haxx:libcurl:7.16.4:::::::* cpe:2.3:a:haxx:libcurl:7.17.0:::::::* cpe:2.3:a:haxx:libcurl:7.17.1:::::::* cpe:2.3:a:haxx:libcurl:7.18.0:::::::* cpe:2.3:a:haxx:libcurl:7.18.2:::::::* cpe:2.3:a:haxx:libcurl:7.19.3:::::::* cpe:2.3:a:haxx:libcurl:7.20.0:::::::* cpe:2.3:a:haxx:libcurl:7.21.2:::::::* cpe:2.3:a:haxx:libcurl:7.22.0:::::::* cpe:2.3:a:haxx:libcurl:7.23.0:::::::* cpe:2.3:a:haxx:libcurl:7.28.0:::::::* cpe:2.3:a:haxx:libcurl:7.28.1:::::::* cpe:2.3:a:haxx:libcurl::::::::