• »
  • Latest Threats
  • Desktop
  • Server
  • critical Severity (Can fully compromise system)

WGET bug allows remote FTP servers to write to arbitrary files and therefore execute arbitrary commands

critical Severity            Affects:
GNU WGET versions 1.15 and prior

Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink. The issue was first reported in CVE-2014-4877



RECOMMENDATION

Updating GNU WGET

The issue was fixed with the release of GNU WGET 1.16. The updates can be found here:

 - ftp://ftp.gnu.org/gnu/wget/wget-1.16.tar.gz

 - ftp://ftp.gnu.org/gnu/wget/wget-1.16.tar.xz

and the GPG detached signatures using the key E163E1EA:

 - ftp://ftp.gnu.org/gnu/wget/wget-1.16.tar.gz.sig

 - ftp://ftp.gnu.org/gnu/wget/wget-1.16.tar.xz.sig


Configuring WGET 1.15 and earlier when update is not an option

In wget versions 1.15 and earlier, configure retr-symlinks=on in /etc/wgetrc or ~/.wgetrc or specify --retr-symlinks as a command line option to wget.