wget prior to 1.16 allows for a web server to write arbitrary files on the client side
Here's a concern for most of us. Be aware that the popular program wget, in versions prior to 1.16, allows for a FTP server to write arbitrary files on the client side. Wget is commonly used in shell scripts to get files or web pages from servers for further processing locally. Wget has many other uses as well, and is an important part of much command line sorcery.
A Metasploit module is available for testing:
https://github.com/rapid7/metasploit-framework/pull/4088
the disclosure is here:
https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access
Redhat's bug is here:
https://bugzilla.redhat.com/show_bug.cgi?id=1139181
A Metasploit module is available for testing:
https://github.com/rapid7/metasploit-framework/pull/4088
the disclosure is here:
https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access
Redhat's bug is here:
https://bugzilla.redhat.com/show_bug.cgi?id=1139181
/trollface
In all seriousness though, this definitely has potential to be a pretty serious issue given how widespread wget's use is, coupled with this probably not being taken as seriously outside of admin circles. Considering how much damage could be done under the guise of offering up instructions for downloading otherwise innocuous content on some FOSS help page somewhere seems enough reason to take this pretty seriously.