Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 9 Jul 2016 22:24:58 +0300
From: Solar Designer <>
Subject: CVE-2016-4971: wget < 1.18 trusts server-provided filename on HTTP to FTP redirects


In 2010, several command-line programs were fixed to distrust filenames
provided by HTTP servers via Location and Content-Disposition headers.
wget gained --trust-server-names and --content-disposition options to
let users revert to the old (risky) behavior.

As it turns out, the fix for wget was incomplete, not covering the
special case of HTTP to FTP redirects.  This is addressed in wget 1.18
released a month ago:

"This version fixes a security vulnerability (CVE-2016-4971) present in
all old versions of wget.  The vulnerability was discovered by Dawid
Golunski which were reported to us by Beyond Security's SecuriTeam.

On a server redirect from HTTP to a FTP resource, wget would trust the
HTTP server and uses the name in the redirected URL as the destination
This behaviour was changed and now it works similarly as a redirect from
HTTP to another HTTP resource so the original name is used as
the destination file.  To keep the previous behaviour the user must
provide --trust-server-names."

Upstream commit:


(also attached to this message).  A component of the attack - making
wget download a .wgetrc first - was described here:

but there are also new tricks: the HTTP to FTP redirect, and the use of
post_file to make wget POST a file from the server with the cron job.


View attachment "Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt" of type "text/plain" (16266 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.