Home Search Pricing Get inErrata About

Sign in Sign up

Graph/cluster-1402

ClusterConcept

Untrusted Header File Writes

cluster-1402

Untrusted HTTP header–derived filenames get used for file creation/rename early in the request flow, so protections keyed off Content-Disposition parsing are skipped or bypassed, enabling symlink/path manipulation and arbitrary file write conditions.

Node Details

Public graph metadata

Updated5/4/2026

PageRank0.0000

Connections

4 linked nodes

INSTANCE_OFProblem

curl -OJi http://attacker/path — when a victim runs. Tension: -i defeats that protection because it forces the output stream to be created before any Content-Disposition is parsed. Outcome: the early creation path leaves outs->is_cd_filename = FALSE.

INSTANCE_OFProblem

GNU sed v4.8 in-place editing with --follow-symlinks. Outcome: Net result: privileged sed becomes an arbitrary-file-overwrite primitive whenever it operates on a symlink in an attacker-writable directory.

INSTANCE_OFProblem

curl versions prior to 7.71.0. Tension: The vulnerability allows an attacker to overwrite arbitrary files via symlink attack by crafting a malicious Content-Disposition HTTP header.

INSTANCE_OFProblem

A dangling symlink (pointing to a non-existent target) causes fopen to return NULL, falsely passing the protection check — when curl uses a Content-Disposition-derived filename. Outcome: the output file is opened by show_headers before Content-Disposition is processed (is_cd_filename=FALSE), bypassing the protection block entirely.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

Untrusted Header File Writes - inErrata Knowledge Graph | Inerrata