wget utility malicious file name directory traversal

wget-ftp-filename-traversal (10820) The risk level is classified as MediumMedium Risk

Description:

wget could allow a remote attacker in control of a malicious FTP server to traverse directories and create or overwrite files on a victim's computer. If a remote attacker could force a victim to visit the malicious FTP server, the attacker could use specially-crafted file names containing the absolute path to the targeted directory or "dot dot" sequences (/../) to traverse directories and create or overwrite files with the same privileges as the wget user.


Consequences:

File Manipulation

Remedy:

For Red Hat Linux:
Upgrade to the latest wget packages, as listed below. Refer to RHSA-2002:229-13 for more information. See References.

Red Hat 6.2: 1.8.2-4.6x or later
Red Hat 7.0: 1.8.2-4.70 or later
Red Hat 7.1 for iSeries and pSeries: 1.8.2-4.71 or later
Red Hat 7.2: 1.8.2-4.72 or later
Red Hat 7.3: 1.8.2-4.73 or later
Red Hat 8.0: 1.8.2-5 or later

For Red Hat Advanced Server 2.1AS:
Upgrade to the latest wget package (1.8.2-4.72 or later), as listed in RHSA-2002:256-04. See References.

For Debian GNU/Linux:
Upgrade to the latest wget package, as listed below. Refer to DSA-209-1 for more information. See References.

Debian 2.2 (potato): 1.5.3-3.1 or later
Debian 3.0 (woody): 1.8.1-6.1 or later

For Conectiva Linux:
Upgrade to the latest wget package, as listed below. Refer to Conectiva Linux Announcement CLSA-2002:552 for more information. See References.

Conectiva Linux 6.0: 1.8.2-1U60_1cl or later
Conectiva Linux 7.0: 1.8.2-1U70_1cl or later
Conectiva Linux 8.0: 1.8.2-1U80_1cl or later

For Trustix Secure Linux:
Upgrade to the latest wget package, as listed below. Refer to Trustix Secure Linux Security Advisory #2002-0089 for more information. See References.

Trustix 1.5: 1.8.2-4tr or later

For Gentoo Linux:
Upgrade versions net-misc/wget-1.8.2-r1 and earlier, as listed in Gentoo Linux Security Announcement 200212-7. See References.

For Mandrake Linux:
Upgrade to the latest wget package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2002:086:wget for more information. See References.

Mandrake Linux 7.2: 1.8.2-3.1mdk or later
Mandrake Linux 8.0: 1.8.2-3.1mdk or later
Mandrake Linux 8.1: 1.8.2-3.1mdk or later
Mandrake Linux 8.2: 1.8.2-3.1mdk or later
Mandrake Linux 9.0: 1.8.2-3.1mdk or later
Single Network Firewall 7.2: 1.8.2-3.1mdk or later

For Caldera OpenLinux 3.1 and 3.1.1 (Workstation):
Upgrade to the latest wget package (1.7.1-3 or later), as listed in SCO Security Advisory CSSA-2003-003.0. See References.

For OpenPKG:
Upgrade to the latest wget package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2003.007 for more information. See References.

OpenPKG CURRENT: 1.8.2-20021216 or later
OpenPKG 1.1: 1.8.2-1.1.1 or later

For Immunix OS 7+:
Upgrade to the latest version of wget (1.8.2-4.70_imnx_3 or later), as listed in Immunix OS Security Advisory IMNX-2003-7+-011-01. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

Platforms Affected:

  • Conectiva Linux 6.0
  • Conectiva Linux 7.0
  • Conectiva Linux 8.0
  • Debian Debian Linux 2.2
  • Debian Debian Linux 3.0
  • Gentoo Linux
  • GNU wget 1.5.3
  • GNU wget 1.6
  • GNU wget 1.7
  • GNU wget 1.7.1
  • GNU wget 1.8
  • GNU wget 1.8.1
  • GNU wget 1.8.2
  • Immunix Immunix OS 7+-beta
  • MandrakeSoft Mandrake Linux 7.0
  • MandrakeSoft Mandrake Linux 7.2
  • MandrakeSoft Mandrake Linux 8.0 PPC
  • MandrakeSoft Mandrake Linux 8.0
  • MandrakeSoft Mandrake Linux 8.1 IA64
  • MandrakeSoft Mandrake Linux 8.1
  • MandrakeSoft Mandrake Linux 8.2 PPC
  • MandrakeSoft Mandrake Linux 8.2
  • MandrakeSoft Mandrake Linux 9.0
  • MandrakeSoft Mandrake Single Network Firewall 7.2
  • OpenPKG OpenPKG 1.1
  • OpenPKG OpenPKG 1.2
  • OpenPKG OpenPKG CURRENT
  • RedHat Enterprise Linux 2.1 AS
  • RedHat Linux 6.2
  • RedHat Linux 7
  • RedHat Linux 7.1
  • RedHat Linux 7.1 for iSeries
  • RedHat Linux 7.1 for pSeries
  • RedHat Linux 7.2
  • RedHat Linux 7.3
  • RedHat Linux 8.0
  • RedHat Linux Advanced Workstation 2.1 Itanium
  • SCO Caldera OpenLinux Server 3.1
  • SCO Caldera OpenLinux Server 3.1.1
  • SCO Caldera OpenLinux Workstation 3.1
  • SCO Caldera OpenLinux Workstation 3.1.1
  • Trustix Secure Linux 1.5

Reported:

Dec 10, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page