Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dangerous Vulnerability Fixed In Wget

Posted by Soulskill on from the under-the-radar dept.

jones_supa writes: A critical flaw has been found and patched in the open source Wget file retrieval utility that is widely used on UNIX systems. The vulnerability is publicly identified as CVE-2014-4877. "It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP," developer Vasyl Kaigorodov writes in Red Hat Bugzilla. A malicious FTP server can stomp over your entire filesystem, tweets HD Moore, chief research officer at Rapid 7, who is the original reporter of the bug.

7 of 58 comments (clear)

  1. rapid7.com metasploit & kb.cert.org advisory by Anonymous Coward · · Score: 4, Informative

    - The disclosure is here:

    https://community.rapid7.com/c...

    - Vulnerability Note VU#685996 (kb.cert.org):

    http://www.kb.cert.org/vuls/id...

  2. Re:super user by caseih · · Score: 4, Interesting

    Yes that's good practice for any command. Though wget is used behind the scenes by, say, opkg on openwrt boxes, which has to run as root since it's unpacking and installing packages. In fact on embedded devices, most everything runs as root there, typically, even if it's a bad idea, and is going to have to change as the internet of things becomes a fact of life. Never thought I'd need to run selinux on an embedded device, but we're to the point now where that's required.

    It's good to have this particular bug fixed at least.

  3. Nothing to see here, move along by gweihir · · Score: 4, Informative

    Bug found, bug fixed, another venerable tool got even better. This is just business as usual.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Nothing to see here, move along by gweihir · · Score: 4, Informative

      Very moderately so. Of course, you should not wget to not trustworthy servers until you have a patched version. But you should not do that anyways, even with the patched version. The biggest risk is still what you get from the server, even if it is confined to its intended place.

      Of course, for clueless people using insecure practice, this issue may have some importance. The others are not really at risk and will get the information anyways from the vulnerability information feed of their choice.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  4. Neat. by ledow · · Score: 4, Insightful

    Neat trick.

    But if you have arbitrary FTP URL's from untrusted sources piped straight into wget on a server you run, you have bigger problems than someone trashing your filesystem or overwriting your /etc/passwd.

  5. Switching to windows by Anonymous Coward · · Score: 5, Funny

    Too tired of this kind of crap from the open source community

  6. Re: super user by undisclosedrecipient · · Score: 4, Insightful

    Root access is the worst case indeed, but it's not a silver bullet if what you really want to protect is accessible by current user. I've seen my share of magical thinking banning root at all costs while in fact confidential data can be grabbed by an exploitable non-root user.