Comment 2TSJ Re: This one is really serious

Story

wget prior to 1.16 allows for a web server to write arbitrary files on the client side

Preview

This one is really serious (Score: 2, Informative)

by engblom@pipedot.org on 2014-10-29 12:37 (#2TS4)

I think this one has bigger potential than the bash-bug recently discussed. Very few are passing stuff down to a bash shell unfiltered comparing to downloading with wget. Aren't almost all admins pasting in urls and downloading with wget on servers if they need a file from the net? It will not help if you checked the MD5 sum of what you downloaded as the vulnerability was in the client and not in the package you downloaded.

It is enough that one important server get compromized by this vulnerability and it will spread like a wild fire. An exploit will for sure check if the computer wget is running on also is running a web server. If it does, it will probably infect the web server for further spreading.

Re: This one is really serious (Score: 1)

by fnj@pipedot.org on 2014-10-29 17:14 (#2TSJ)

I think this one has bigger potential than the bash-bug recently discussed. Very few are passing stuff down to a bash shell unfiltered
I do not think you understand the mechanism for ShellShock.

Junk Status

Not marked as junk