Wget security flaw (older than 1.16)
QuHno last edited by Gwen-Dragon
A vulnerability that grants an attacker writing access to the file system of the computer and can even execute code exists in the popular wget download tool. Only the recursive mode of wget, enabled with the parameter -m, is affected according to current knowledge. The recursive mode is used to make a full copy of a HTTP or FTP server, including all resources linked on the start address (example: wget -m ftp://192.168.3.67) If wget is trying to pull a copy of the contents of a FTP server, a modified server can create a symlink to the root file system and write any content to this, provided that the rights of the user allow this. The server could place e.g. a binary on the computer and run a cron job to ensure it gets executed. The gap was discovered by Rapid7, who are also behind the Metasploit project. https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access A Metasploit module exists to test for the vulnerability, which sadly means that we probably will soon see attacks against this flaw in the wild. Users of wget should update immediately to version 1.16, because all older versions are vulnerable to this attack. You can find the download links of the new versions here: http://wget.addictivecode.org/FrequentlyAskedQuestions#download Please make sure that no other software uses an outdated version of wget, as some software brings its own version with it.
Thanks for posting this notice!!
ersi last edited by
The new version of wget should arrive with the next updates in any decent distro. To see the wget version, type wget -V
The output is unnecessarily verbose. I had to scroll up to see the version number.
Frenzie last edited by
You could always type wget -V | grep "GNU Wget" instead. :P