Vigil@nce - wget: file corruption via symbolic links following
November 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can make wget write or create files at arbitrary
location with privileges of the wget process.
Impacted products: Debian, MBS, RHEL, Slackware, SUSE Linux
Enterprise Desktop, SLES, Ubuntu, Unix (platform)
Severity: 2/4
Creation date: 27/10/2014
DESCRIPTION OF THE VULNERABILITY
The tool wget may be used to retrieve a whole subtree with FTP.
By default, wget does not follow the symbolic links found at the
server side. Instead, it creates a local link. However, a
malicious server can respond to a directory listing command, a
specially crafted list that make wget write via the link that it
created and the target of which is controlled by the server.
A local attacker can therefore make wget write or create files at
arbitrary location with the privileges of the wget process.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/wget-file-corruption-via-symbolic-links-following-15551