oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request - Gnu Wget 1.17 - Design Error Vulnerability

From: Jordan Bettis <jordanb () hafd org>
Date: Thu, 25 Aug 2016 13:59:28 -0500
On 08/11/2016 10:34 PM, Kurt Seifried wrote:


Please note that the attacker would also have to have access to the local
file system, either shell access or by some additional exploit,
additionally they would have to have read access to the file wget is
downloading (so same security context, or really poor permissions).


...

Please note again that to exploit this you would need a situation where the
attacker can control what wget is fetching, or execute a man in the middle
attack, AND has local access to the system downloading the file AND has
permissions to read the file AND some sort of additional vulnerability that
requires being able to read a file in order to escalate privileges.



Suppose I convince web admin to wget jpeg files from my server into his
web root. The jpeg directory also contains the file evil.php. During the
download, evil.php now exists in his web root and I can cause it to be
executed by visiting the correct path via http.
Previous By Date Next
Previous By Thread Next

Current thread: