FreeBSD : cURL -- sensitive HTTP server headers also sent to proxies (27f742f6-03f4-11e5-aab1-d050996490d0)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

cURL reports :

libcurl provides applications a way to set custom HTTP headers to be
sent to the server by using CURLOPT_HTTPHEADER. A similar option is
available for the curl command-line tool with the '--header' option.

When the connection passes through an HTTP proxy the same set of
headers is sent to the proxy as well by default. While this is by
design, it has not necessarily been clear nor understood by
application programmers.

See also :

http://curl.haxx.se/docs/adv_20150429.html
http://www.nessus.org/u?5b2a4533

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 83841 ()

Bugtraq ID:

CVE ID: CVE-2015-3153

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now