14 DAY TRIAL // A new wget version has been released to address an eight-month-old moderate-risk security issue, which can potentially allow an attacker to overwrite arbitrary files. The bug initially caused some disagreement amongst developers in regards to its impact.
GNU Wget is a popular cross-platform command-line utility, which can be used to download content from servers over the HTTP, HTTPS and FTP protocols. The program is included by default in most Linux distributions.
“GNU Wget 1.12 and earlier uses a server-provided filename instead of the original URL to determine the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a 3xx redirect to a URL with a .wgetrc filename followed by a 3xx redirect to a URL with a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory,” a description of the recently patched vulnerability, reads.
The issue also affected the lftp and the libwww-perl packages and was discovered and reported by Hank Leininger and Solar Designer under the Openwall Project. According to the timeline published by oCERT, the organization which handled the patch coordination, the wget developers initially refused to acknowledge the security implications of the bug.
“Wget didn't acknowledge the report, the issues reported have not been considered relevant from a security perspective by the maintainer,” an entry dated January 11, 2010 reads. A subsequent one from February notes that “wget confirmed the application will not be fixed.”
A disagreement over the bug's impact is also apparent from the discussion on the Openwall security mailing list. “Many programs support optional startup/config files of fixed/known/guessable names that a malicious or compromised server could provide. In fact, I've just demonstrated this attack against wget itself, but it could also work against another program,” Solar Designer, writes.
You can follow the editor on Twitter @lconstantin