Comment 2TSD Re: This one is really serious


wget prior to 1.16 allows for a web server to write arbitrary files on the client side


This one is really serious (Score: 2, Informative)

by on 2014-10-29 12:37 (#2TS4)

I think this one has bigger potential than the bash-bug recently discussed. Very few are passing stuff down to a bash shell unfiltered comparing to downloading with wget. Aren't almost all admins pasting in urls and downloading with wget on servers if they need a file from the net? It will not help if you checked the MD5 sum of what you downloaded as the vulnerability was in the client and not in the package you downloaded.

It is enough that one important server get compromized by this vulnerability and it will spread like a wild fire. An exploit will for sure check if the computer wget is running on also is running a web server. If it does, it will probably infect the web server for further spreading.

Re: This one is really serious (Score: 2, Insightful)

by on 2014-10-29 13:17 (#2TS5)

Agreed. Also: with the exception of curl, there aren't really any good alternatives to wget. It's good at what it does, and gets worked into all sorts of useful scripts.

Junk Status

Not marked as junk