ID CVE-2002-1344 Type cve Reporter NVD Modified 2016-12-07T21:59:21
Description
Directory traversal vulnerability in wget before 1.8.2-4 allows a remote FTP server to create or overwrite files as the wget user via filenames containing (1) /absolute/path or (2) .. (dot dot) sequences.
{"result": {"cert": [{"id": "VU:210148", "type": "cert", "title": "wget contains directory traversal vulnerability", "description": "### Overview\n\nThe `wget` utility contains directory traversal vulnerabilities that allow a malicious FTP server to overwrite files on the client host.\n\n### Description\n\nIn a typical file transfer operation, one participant (the client) requests a file while a second participant (the server) provides the requested file. Before processing each request, many server implementations will consult an access control policy to determine whether the client should be permitted to read, write, or create a file at the requested location. If the client is able to craft a request that violates the server's access control policy, then the server contains a vulnerability. Since most vulnerabilities of this type involve escaping a restricted set of directories, they are commonly known as \"directory traversal\" vulnerabilities. \n\nDirectory traversal vulnerabilities are most often reported in server implementations, but recent research into the behavior of FTP clients has revealed vulnerabilities in several file transfer applications, including the `wget` utility. To exploit these vulnerabilities, an attacker must convince the victim user to access a specific FTP server containing files with crafted filenames. When an affected version of `wget` attempts to download one of these files, the crafted filename causes the utility to write the downloaded files to the location specified by the filename, not by the victim user. In some cases, the attacker must use a modified FTP server to allow the crafted filenames to be passed to the client. \n \nFor more detailed information regarding this research, please read \"[_Directory Traversal Vulnerabilities in FTP Clients_](<http://online.securityfocus.com/archive/1/302956>)\", written by Steve Christey. \n \n--- \n \n### Impact\n\nThis vulnerability allows an attacker to mislead `wget` users, convincing them to unintentionally create or overwrite files on the client's filesystem. \n \n--- \n \n### Solution\n\n**Apply a patch from your vendor** \n \nFor vendor-specific information regarding vulnerability status and patch availability, please consult the Systems Affected section of this document \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nConectiva| | 05 Dec 2002| 13 Dec 2002 \nDebian| | 05 Dec 2002| 13 Dec 2002 \nGentoo Linux| | 20 Dec 2002| 31 Dec 2002 \nMandrakeSoft| | 05 Dec 2002| 12 Dec 2002 \nRed Hat Inc.| | 05 Dec 2002| 10 Dec 2002 \nTrustix| | 19 Dec 2002| 31 Dec 2002 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23210148 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://online.securityfocus.com/archive/1/302956>\n\n### Credit\n\nThe CERT/CC thanks Steve Christey for his discovery and analysis of this vulnerability.\n\nThis document was written by Jeffrey P. Lanza.\n\n### Other Information\n\n * CVE IDs: [CAN-2002-1344](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CAN-2002-1344>)\n * Date Public: 10 Dec 2002\n * Date First Published: 10 Dec 2002\n * Date Last Updated: 14 Apr 2003\n * Severity Metric: 0.68\n * Document Revision: 12\n\n", "published": "2002-12-10T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.kb.cert.org/vuls/id/210148", "cvelist": ["CVE-2002-1344", "CVE-2002-1344"], "lastseen": "2016-02-03T09:12:51"}], "nessus": [{"id": "REDHAT-RHSA-2002-256.NASL", "type": "nessus", "title": "RHEL 2.1 : wget (RHSA-2002:256)", "description": "The wget packages shipped with Red Hat Linux Advanced Server 2.1 contain a security bug which, under certain circumstances, can cause local files to be written outside the download directory.\n\n[Updated 09 Jan 2003] Added fixed packages for the Itanium (IA64) architecture.\n\n[Updated 06 Feb 2003] Added fixed packages for Advanced Workstation 2.1\n\nVersions of wget prior to 1.8.2-4 contain a bug that permits a malicious FTP server to create or overwrite files anywhere on the local file system.\n\nFTP clients must check to see if an FTP server's response to the NLST command includes any directory information along with the list of filenames required by the FTP protocol (RFC 959, section 4.1.3).\n\nIf the FTP client fails to do so, a malicious FTP server can send filenames beginning with '/' or containing '/../' which can be used to direct a vulnerable FTP client to write files (such as .forward, .rhosts, .shost, etc.) that can then be used for later attacks against the client machine.\n\nAll users of wget should upgrade to the errata packages which are not vulnerable to this issue.\n\nThanks to Steven M. Christey for his work in discovering this issue in current FTP clients and for providing a patched FTP server to verify the new packages.", "published": "2004-07-06T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=12334", "cvelist": ["CVE-2002-1344"], "lastseen": "2017-10-29T13:35:42"}, {"id": "MANDRAKE_MDKSA-2002-086.NASL", "type": "nessus", "title": "Mandrake Linux Security Advisory : wget (MDKSA-2002:086)", "description": "A vulnerability in all versions of wget prior to and including 1.8.2 was discovered by Steven M. Christey. The bug permits a malicious FTP server to create or overwriet files anywhere on the local file system by sending filenames beginning with '/' or containing '/../'. This can be used to make vulnerable FTP clients write files that can later be used for attack against the client machine.", "published": "2004-07-31T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=13984", "cvelist": ["CVE-2002-1344"], "lastseen": "2017-10-29T13:44:05"}, {"id": "DEBIAN_DSA-209.NASL", "type": "nessus", "title": "Debian DSA-209-1 : wget - directory traversal", "description": "Two problems have been found in the wget package as distributed in Debian GNU/Linux :\n\n - Stefano Zacchiroli found a buffer overrun in the url_filename function, which would make wget segfault on very long URLs\n - Steven M. Christey discovered that wget did not verify the FTP server response to a NLST command: it must not contain any directory information, since that can be used to make an FTP client overwrite arbitrary files.\n\nBoth problems have been fixed in version 1.5.3-3.1 for Debian GNU/Linux 2.2/potato and version 1.8.1-6.1 for Debian GNU/Linux 3.0/woody.", "published": "2004-09-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=15046", "cvelist": ["CVE-2002-1565", "CVE-2002-1344"], "lastseen": "2017-10-29T13:37:59"}], "openvas": [{"id": "OPENVAS:53857", "type": "openvas", "title": "Debian Security Advisory DSA 209-1 (wget)", "description": "The remote host is missing an update to wget\nannounced via advisory DSA 209-1.", "published": "2008-01-17T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=53857", "cvelist": ["CVE-2002-1344"], "lastseen": "2017-07-24T12:50:07"}], "redhat": [{"id": "RHSA-2002:256", "type": "redhat", "title": "(RHSA-2002:256) wget security update", "description": "Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious\nFTP server to create or overwrite files anywhere on the local file system.\n\nFTP clients must check to see if an FTP server's response to the NLST\ncommand includes any directory information along with the list of filenames\nrequired by the FTP protocol (RFC 959, section 4.1.3).\n\nIf the FTP client fails to do so, a malicious FTP server can send filenames\nbeginning with '/' or containing '/../' which can be used to direct a\nvulnerable FTP client to write files (such as .forward, .rhosts, .shost,\netc.) that can then be used for later attacks against the client machine.\n\nAll users of wget should upgrade to the errata packages which are not\nvulnerable to this issue.\n\nThanks to Steven M. Christey for his work in discovering this issue\nin current FTP clients and for providing a patched FTP server to verify\nthe new packages.", "published": "2003-02-06T05:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://access.redhat.com/errata/RHSA-2002:256", "cvelist": ["CVE-2002-1344"], "lastseen": "2018-03-14T15:43:39"}], "osvdb": [{"id": "OSVDB:6982", "type": "osvdb", "title": "GNU wget Arbitrary File Creation/Overwrite", "description": "## Vulnerability Description\nwget contains a flaw that may allow a remote malicious user to write arbitrary files to the system. The issue is triggered when an NLST response from the server contains directory path information. It is possible that the flaw may allow arbitrary files to be written resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, multiple vendors have released a patch to address this vulnerability.\n## Short Description\nwget contains a flaw that may allow a remote malicious user to write arbitrary files to the system. The issue is triggered when an NLST response from the server contains directory path information. It is possible that the flaw may allow arbitrary files to be written resulting in a loss of integrity.\n## References:\n[Vendor Specific Advisory URL](http://marc.theaimsgroup.com/?l=bugtraq&m=104033016703851&w=2)\n[Vendor Specific Advisory URL](http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-086.php)\n[Vendor Specific Advisory URL](http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000552)\n[Vendor Specific Advisory URL](http://marc.theaimsgroup.com/?l=bugtraq&m=103973388702700&w=2)\n[Secunia Advisory ID:7684](https://secuniaresearch.flexerasoftware.com/advisories/7684/)\nRedHat RHSA: RHSA-2002:229\n[Nessus Plugin ID:12334](https://vulners.com/search?query=pluginID:12334)\n[Nessus Plugin ID:13984](https://vulners.com/search?query=pluginID:13984)\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=103962838628940&w=2\n[CVE-2002-1344](https://vulners.com/cve/CVE-2002-1344)\nBugtraq ID: 6352\n", "published": "2002-12-10T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/osvdb/OSVDB:6982", "cvelist": ["CVE-2002-1344"], "lastseen": "2017-04-28T13:20:02"}], "debian": [{"id": "DSA-209", "type": "debian", "title": "wget -- directory traversal", "description": "Two problems have been found in the wget package as distributed in Debian GNU/Linux:\n\n * Stefano Zacchiroli found a buffer overrun in the url_filename function, which would make wget segfault on very long URLs\n * Steven M. Christey discovered that wget did not verify the FTP server response to a NLST command: it must not contain any directory information, since that can be used to make an FTP client overwrite arbitrary files.\n\nBoth problems have been fixed in version 1.5.3-3.1 for Debian GNU/Linux 2.2/potato and version 1.8.1-6.1 for Debian GNU/Linux 3.0/woody.", "published": "2002-12-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-209", "cvelist": ["CVE-2002-1565", "CVE-2002-1344"], "lastseen": "2016-09-02T18:34:34"}]}}
