VectorLinux
November 20, 2014, 06:12:09 pm *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Visit our home page for VL info. To search the old message board go to http://vectorlinux.com/forum1. The first VL forum is temporarily offline until we can find a host for it. Thanks for your patience.
 
Now powered by KnowledgeDex.
   Home   Help Search Login Register  
Please support VectorLinux!
Pages: [1]
  Print  
Author Topic: wget flaw securities  (Read 205 times)
vincent2
Vectorite
***
Posts: 410


« on: November 04, 2014, 03:34:05 am »

A vulnerability that grants an attacker writing access to the file system of the computer and can even execute code exists in the popular wget download tool. Only the recursive mode of wget, enabled with the parameter -m, is affected according to current knowledge. The recursive mode is used to make a full copy of a HTTP or FTP server, including all resources linked on the start address (example: wget -m http://ftp://192.168.3.67)

 If wget is trying to pull a copy of the contents of a FTP server, a modified server can create a symlink to the root file system and write any content to this, provided that the rights of the user allow this. The server could place e.g. a binary on the computer and run a cron job to ensure it gets executed. The gap was discovered by Rapid7, who are also behind the Metasploit project.


 A Metasploit module exists to test for the vulnerability, which sadly means that we probably will soon see attacks against this flaw in the wild.

 Users of wget should update immediately to version 1.16, because all older versions are vulnerable to this attack.

 You can find the download links of the new versions here:
wget.addictivecode.org/FrequentlyAskedQuestions#download

 Please make sure that no other software uses an outdated version of wget, as some software brings its own version with it.
Logged
M0E-lnx
Administrator
Vectorian
*****
Posts: 3191



« Reply #1 on: November 04, 2014, 02:04:58 pm »

VectorLinux 7.1 already has 1.16 by default
Logged

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!