oss-sec mailing list archives
Re: CVE Request - Gnu Wget 1.17 - Design Error Vulnerability
From: "Misra, Deapesh" <dmisra () verisign com>
Date: Sun, 28 Aug 2016 05:56:27 +0000
Hi,
On Aug 27, 2016, at 3:08 PM, "cve-assign () mitre org" <cve-assign () mitre org> wrote: Maybe a marginally realistic exploitation scenario is for the attacker to convey this message to potential victims:
When I read the vulnerability report for the first time, this is the scenario I came up with to justify the security threat from this issue: (Hypothetical story of course) A group of developers decide to write their own version of the "internet archive - way back machine". To keep things simple they decide to use the power of wget within their PHP app. For their version one of the app, they decide to only allow the archiving and viewing of jpeg files. They then set up their PHP app and solicit people to input in URLs of websites with images which need to be archived. In this kind of "archiving website" scenario, the victim has to - solicit and accept URLs from untrustworthy parties - has to archive the specified files and then make the archived files available Isn't this a common enough and plausible scenario which poses a security threat to the developers server ? Thanks, - deapesh.
Current thread:
- CVE Request - Gnu Wget 1.17 - Design Error Vulnerability Misra, Deapesh (Aug 11)
- Re: CVE Request - Gnu Wget 1.17 - Design Error Vulnerability Kurt Seifried (Aug 11)
- Re: [Bug-wget] [oss-security] CVE Request - Gnu Wget 1.17 - Design Error Vulnerability Tim Rühsen (Aug 12)
- Re: CVE Request - Gnu Wget 1.17 - Design Error Vulnerability Jordan Bettis (Aug 25)
- Re: [Bug-wget] CVE Request - Gnu Wget 1.17 - Design Error Vulnerability Tim Rühsen (Aug 14)
- Re: CVE Request - Gnu Wget 1.17 - Design Error Vulnerability cve-assign (Aug 27)
- Re: CVE Request - Gnu Wget 1.17 - Design Error Vulnerability Misra, Deapesh (Aug 28)
- Re: CVE Request - Gnu Wget 1.17 - Design Error Vulnerability cve-assign (Aug 28)
- Re: CVE Request - Gnu Wget 1.17 - Design Error Vulnerability Misra, Deapesh (Aug 28)
- Re: CVE Request - Gnu Wget 1.17 - Design Error Vulnerability Kurt Seifried (Aug 11)