wget prior to 1.16 allows for a web server to write arbitrary files on the client side

Anonymous Coward
in security on (#2TS1)
Here's a concern for most of us. Be aware that the popular program wget, in versions prior to 1.16, allows for a FTP server to write arbitrary files on the client side. Wget is commonly used in shell scripts to get files or web pages from servers for further processing locally. Wget has many other uses as well, and is an important part of much command line sorcery.

A Metasploit module is available for testing:


the disclosure is here:


Redhat's bug is here:


Re: This one is really serious (Score: 1)

by fnj@pipedot.org on 2014-10-29 17:14 (#2TSJ)

I think this one has bigger potential than the bash-bug recently discussed. Very few are passing stuff down to a bash shell unfiltered
I do not think you understand the mechanism for ShellShock.
Post Comment
How many colors in the list brown, elephant, pink and monkey?