When curl performs a passive FTP transfer, it first tries the EPSV
command
and if that is not supported, it falls back to using PASV
. Passive mode is
what curl uses by default.
A server response to a PASV
command includes the (IPv4) address and port
number for the client to connect back to in order to perform the actual data
transfer.
This is how the FTP protocol is designed to work.
A malicious server can use the PASV
response to trick curl into connecting
back to a given IP address and port, and this way potentially make curl
extract information about services that are otherwise private and not
disclosed, for example doing port scanning and service banner extractions.
If curl operates on a URL provided by a user (which by all means is an unwise setup), a user can exploit that and pass in a URL to a malicious FTP server instance without needing any server breach to perform the attack.