The NO-NAME vuln: wget mess patched without a fancy brand
Directory overwrite bug threatens all *nix boxen
Sysadmins: another venerable and nearly-ubiquitous *nix tool, wget, needs patching because of a bug first reported by HD Moore.
As the Red Hat Bugzilla report describes, the bug was a beauty: a recursive directory fetch over FTP would let an attacker “create arbitrary files, directories or symbolic links” due to a symlink flaw.
A malicious FTP server would be able to do pretty much anything it wanted to an unsuspecting wget user – as Moore put it, it could “overwrite your entire filesystem”.
While fixable, CVE-2014-4877 is serious since wget is present on any Linux system, and is installable (although not by default) on OS X machines as well.
The bug has been fixed in wget 1.16, which blocks the default setting that allowed the setting of local symlinks. A note on the Bugzilla report also describes a workaround for (the huge number of) systems that use wget scripts to fetch stuff from the Internet.
“This issue can be mitigated by ensuring that all invocations of wget in the mirror mode also specify --retr-symlinks command line option. Doing so is equivalent to applying the upstream commit linked in comment 14, which changes the default for the retr-symlinks options from off/no to on/yes, preventing creation of symbolic links locally,” wrote Thomas Hoger
“In addition to changing arguments in all scripts or programs that invoke wget, it is possible to enabled retr-symlinks option via wget configuration file - either global /etc/wgetrc, or user specific ~/.wgetrc - by adding the following line: