[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CADSYzstoyBsX8BcMnJ0hm3YJfFBruiOEKyZX1jm56+SoCUacdg@mail.gmail.com>
Date: Wed, 6 Jul 2016 13:51:21 +0200
From: Dawid Golunski <dawid@...alhackers.com>
To: fulldisclosure@...lists.org
Subject: [FD] GNU Wget < 1.18 Arbitrary File Upload
GNU Wget < 1.18 Arbitrary File Upload
URL: http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt
CVE-2016-4971
GNU Wget before 1.18 when supplied with a malicious URL (to a malicious or
compromised web server) can be tricked into saving an arbitrary remote file
supplied by an attacker, with arbitrary contents and filename under
the current directory and possibly other directories by writing to .wgetrc.
Depending on the context in which wget is used, this can lead to remote code
execution and even root privilege escalation if wget is run via a root cronjob
as is often the case in many web application deployments.
The vulnerability could also be exploited by well-positioned attackers within
the network who are able to intercept/modify the network traffic.
As most of the main linux distributions have updated their wget packages,
the exploit has been made public.
You can see my full advisory at:
http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt
--
Regards,
Dawid Golunski
http://legalhackers.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists