Vigil@nce - libwww-perl, lftp, wget: file creation
May 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker owning a malicious web site can return an HTTP
redirect to libwww-perl, lftp or wget tools, in order to force
them to create a file with another name.
Severity: 2/4
Creation date: 18/05/2010
DESCRIPTION OF THE VULNERABILITY
The lwp-download (libwww-perl), lftp and wget tools download
documents via FTP or HTTP protocols.
These tools determine the local file name from the url. For
example, http://s/page.html will be saved in the page.html file.
However, if http://s/page.html uses an HTTP 301/302 redirect and a
Content-Disposition header with a "filename=.profile" attribute,
then these tools save the page in the ".profile" file. So, if the
victim uses these tools from his home directory, an attacker can
upload a script shell to be executed on the next session.
An attacker owning a malicious web site can therefore return an
HTTP redirect to libwww-perl, lftp or wget tools, in order to
force them to create a file with another name.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/libwww-perl-lftp-wget-file-creation-9648