ID CVE-2002-1344 Type cve Reporter cve@mitre.org Modified 2018-10-19T15:29:00
Description
Directory traversal vulnerability in wget before 1.8.2-4 allows a remote FTP server to create or overwrite files as the wget user via filenames containing (1) /absolute/path or (2) .. (dot dot) sequences.
{"redhat": [{"lastseen": "2019-08-13T18:46:16", "bulletinFamily": "unix", "cvelist": ["CVE-2002-1344"], "description": "Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious\nFTP server to create or overwrite files anywhere on the local file system.\n\nFTP clients must check to see if an FTP server's response to the NLST\ncommand includes any directory information along with the list of filenames\nrequired by the FTP protocol (RFC 959, section 4.1.3).\n\nIf the FTP client fails to do so, a malicious FTP server can send filenames\nbeginning with '/' or containing '/../' which can be used to direct a\nvulnerable FTP client to write files (such as .forward, .rhosts, .shost,\netc.) that can then be used for later attacks against the client machine.\n\nAll users of wget should upgrade to the errata packages which are not\nvulnerable to this issue.\n\nThanks to Steven M. Christey for his work in discovering this issue\nin current FTP clients and for providing a patched FTP server to verify\nthe new packages.", "modified": "2018-03-14T19:25:44", "published": "2003-02-06T05:00:00", "id": "RHSA-2002:256", "href": "https://access.redhat.com/errata/RHSA-2002:256", "type": "redhat", "title": "(RHSA-2002:256) wget security update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2017-07-24T12:50:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1344"], "description": "The remote host is missing an update to wget\nannounced via advisory DSA 209-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53857", "href": "http://plugins.openvas.org/nasl.php?oid=53857", "type": "openvas", "title": "Debian Security Advisory DSA 209-1 (wget)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_209_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 209-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Two problems have been found in the wget package as distributed in\nDebian GNU/Linux:\n\n* Stefano Zacchiroli found a buffer overrun in the url_filename function,\nwhich would make wget segfault on very long URLs\n\n* Steven M. Christey discovered that wget did not verify the FTP server\nresponse to a NLST command: it must not contain any directory information,\nsince that can be used to make a FTP client overwrite arbitrary files.\n\nBoth problems have been fixed in version 1.5.3-3.1 for Debian GNU/Linux\n2.2/potato and version 1.8.1-6.1 for Debian GNU/Linux 3.0/woody.\";\ntag_summary = \"The remote host is missing an update to wget\nannounced via advisory DSA 209-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20209-1\";\n\nif(description)\n{\n script_id(53857);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:28:10 +0100 (Thu, 17 Jan 2008)\");\n script_bugtraq_id(6352);\n script_cve_id(\"CVE-2002-1344\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_name(\"Debian Security Advisory DSA 209-1 (wget)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"wget\", ver:\"1.5.3-3.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"wget\", ver:\"1.8.1-6.1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "cert": [{"lastseen": "2020-09-18T20:44:15", "bulletinFamily": "info", "cvelist": ["CVE-2002-1344"], "description": "### Overview \n\nThe `wget` utility contains directory traversal vulnerabilities that allow a malicious FTP server to overwrite files on the client host.\n\n### Description \n\nIn a typical file transfer operation, one participant (the client) requests a file while a second participant (the server) provides the requested file. Before processing each request, many server implementations will consult an access control policy to determine whether the client should be permitted to read, write, or create a file at the requested location. If the client is able to craft a request that violates the server's access control policy, then the server contains a vulnerability. Since most vulnerabilities of this type involve escaping a restricted set of directories, they are commonly known as \"directory traversal\" vulnerabilities.\n\nDirectory traversal vulnerabilities are most often reported in server implementations, but recent research into the behavior of FTP clients has revealed vulnerabilities in several file transfer applications, including the `wget` utility. To exploit these vulnerabilities, an attacker must convince the victim user to access a specific FTP server containing files with crafted filenames. When an affected version of `wget` attempts to download one of these files, the crafted filename causes the utility to write the downloaded files to the location specified by the filename, not by the victim user. In some cases, the attacker must use a modified FTP server to allow the crafted filenames to be passed to the client. \n \nFor more detailed information regarding this research, please read \"[_Directory Traversal Vulnerabilities in FTP Clients_](<http://online.securityfocus.com/archive/1/302956>)\", written by Steve Christey. \n \n--- \n \n### Impact \n\nThis vulnerability allows an attacker to mislead `wget` users, convincing them to unintentionally create or overwrite files on the client's filesystem. \n \n--- \n \n### Solution \n\n**Apply a patch from your vendor** \n \nFor vendor-specific information regarding vulnerability status and patch availability, please consult the Systems Affected section of this document \n \n--- \n \n### Vendor Information\n\n210148\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Conectiva __ Affected\n\nNotified: December 05, 2002 Updated: December 13, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nConectiva has published Conectiva Linux Security Announcement CLA-2002:552 to address this vulnerability. For more information, please see\n\n \n[_http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000552_](<http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000552>)\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23210148 Feedback>).\n\n### Debian __ Affected\n\nNotified: December 05, 2002 Updated: December 13, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nDebian has published Debian Security Advisory DSA-209-1 to address this vulnerability. For more information, please see\n\n \n[_http://www.debian.org/security/2002/dsa-209_](<http://www.debian.org/security/2002/dsa-209>)\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23210148 Feedback>).\n\n### Gentoo Linux __ Affected\n\nNotified: December 20, 2002 Updated: December 31, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nGentoo Linux has published Security Announcement 200212-7 to address this vulnerability. For more information, please see\n\n \n[_http://forums.gentoo.org/viewtopic.php?t=27117_](<http://forums.gentoo.org/viewtopic.php?t=27117>)\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23210148 Feedback>).\n\n### MandrakeSoft __ Affected\n\nNotified: December 05, 2002 Updated: December 12, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nMandrakeSoft has published MandrakeSoft Security Advisory MDKSA-2002:086 to address this vulnerability. For more information, please see\n\n \n[_http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:086_](<http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2002:086>)\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23210148 Feedback>).\n\n### Red Hat Inc. __ Affected\n\nNotified: December 05, 2002 Updated: December 10, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nRed Hat distributes wget with Red Hat Linux which is vulnerable to these issues. Updated versions of wget are available at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool. \n\n\nRed Hat Linux: \n\n\n[_http://rhn.redhat.com/errata/RHSA-2002-229.html_](<http://rhn.redhat.com/errata/RHSA-2002-229.html>) \nRed Hat Linux Advanced Server: \n\n\n[_http://rhn.redhat.com/errata/RHSA-2002-256.html_](<http://rhn.redhat.com/errata/RHSA-2002-256.html>)\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23210148 Feedback>).\n\n### Trustix __ Affected\n\nNotified: December 19, 2002 Updated: December 31, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nTrustix Secure Linux has published Security Advisory #2002-0089 to address this vulnerability. For more information, please see\n\n \n[_http://www.trustix.net/errata/misc/2002/TSL-2002-0089-wget.asc.txt_](<http://www.trustix.net/errata/misc/2002/TSL-2002-0089-wget.asc.txt>)\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23210148 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n<http://online.securityfocus.com/archive/1/302956>\n\n### Acknowledgements\n\nThe CERT/CC thanks Steve Christey for his discovery and analysis of this vulnerability.\n\nThis document was written by Jeffrey P. Lanza.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2002-1344](<http://web.nvd.nist.gov/vuln/detail/CVE-2002-1344>) \n---|--- \n**Severity Metric:** | 0.68 \n**Date Public:** | 2002-12-10 \n**Date First Published:** | 2002-12-10 \n**Date Last Updated: ** | 2003-04-14 22:48 UTC \n**Document Revision: ** | 12 \n", "modified": "2003-04-14T22:48:00", "published": "2002-12-10T00:00:00", "id": "VU:210148", "href": "https://www.kb.cert.org/vuls/id/210148", "type": "cert", "title": "wget contains directory traversal vulnerability", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:02", "bulletinFamily": "software", "cvelist": ["CVE-2002-1344"], "edition": 1, "description": "## Vulnerability Description\nwget contains a flaw that may allow a remote malicious user to write arbitrary files to the system. The issue is triggered when an NLST response from the server contains directory path information. It is possible that the flaw may allow arbitrary files to be written resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, multiple vendors have released a patch to address this vulnerability.\n## Short Description\nwget contains a flaw that may allow a remote malicious user to write arbitrary files to the system. The issue is triggered when an NLST response from the server contains directory path information. It is possible that the flaw may allow arbitrary files to be written resulting in a loss of integrity.\n## References:\n[Vendor Specific Advisory URL](http://marc.theaimsgroup.com/?l=bugtraq&m=104033016703851&w=2)\n[Vendor Specific Advisory URL](http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-086.php)\n[Vendor Specific Advisory URL](http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000552)\n[Vendor Specific Advisory URL](http://marc.theaimsgroup.com/?l=bugtraq&m=103973388702700&w=2)\n[Secunia Advisory ID:7684](https://secuniaresearch.flexerasoftware.com/advisories/7684/)\nRedHat RHSA: RHSA-2002:229\n[Nessus Plugin ID:12334](https://vulners.com/search?query=pluginID:12334)\n[Nessus Plugin ID:13984](https://vulners.com/search?query=pluginID:13984)\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=103962838628940&w=2\n[CVE-2002-1344](https://vulners.com/cve/CVE-2002-1344)\nBugtraq ID: 6352\n", "modified": "2002-12-10T00:00:00", "published": "2002-12-10T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:6982", "id": "OSVDB:6982", "title": "GNU wget Arbitrary File Creation/Overwrite", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "debian": [{"lastseen": "2019-05-30T02:22:32", "bulletinFamily": "unix", "cvelist": ["CVE-2002-1344"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-209-1 security@debian.org\nhttp://www.debian.org/security/ Wichert Akkerman\nDecember 12, 2002\n- ------------------------------------------------------------------------\n\n\nPackage : wget\nProblem type : directory traversal\n buffer overflow\nDebian-specific: no\nCVEs : CAN-2002-1344\n\nTwo problems have been found in the wget package as distributed in\nDebian GNU/Linux:\n\n* Stefano Zacchiroli found a buffer overrun in the url_filename function,\n which would make wget segfault on very long URLs\n\n* Steven M. Christey discovered that wget did not verify the FTP server\n response to a NLST command: it must not contain any directory information,\n since that can be used to make a FTP client overwrite arbitrary files.\n\nBoth problems have been fixed in version 1.5.3-3.1 for Debian GNU/Linux\n2.2/potato and version 1.8.1-6.1 for Debian GNU/Linux 3.0/woody.\n\n- ------------------------------------------------------------------------\n\nObtaining updates:\n\n By hand:\n wget URL\n will fetch the file for you.\n dpkg -i FILENAME.deb\n will install the fetched file.\n\n With apt:\n deb http://security.debian.org/ stable/updates main\n added to /etc/apt/sources.list will provide security updates\n\nAdditional information can be found on the Debian security webpages\nat http://www.debian.org/security/\n\n- ------------------------------------------------------------------------\n\n\nDebian GNU/Linux 2.2 alias potato\n- ---------------------------------\n\n Potato was released for alpha, arm, i386, m68k, powerpc and sparc.\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1.diff.gz\n Size/MD5 checksum: 75231 61d99d8ab75b95cd9fa2459e74182a50\n http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3.orig.tar.gz\n Size/MD5 checksum: 446966 47680b25bf893afdb0c43b24e3fc2fd6\n http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1.dsc\n Size/MD5 checksum: 1163 9eb3c57aa94d74e3c6e4097b5d941563\n\n alpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_alpha.deb\n Size/MD5 checksum: 249228 0eedd7487056460a8de93ea2ed3402f2\n\n arm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_arm.deb\n Size/MD5 checksum: 233342 9a57b21e6611b46b3991bb38e75dbd08\n\n i386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_i386.deb\n Size/MD5 checksum: 227812 fc7c576836d26cebc397c07f3bbd1488\n\n m68k architecture (Motorola Mc680x0)\n\n http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_m68k.deb\n Size/MD5 checksum: 224820 b967f1e1b960be2fce3fb2cae55b6710\n\n powerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_powerpc.deb\n Size/MD5 checksum: 234646 48b138d481cebbe85b437d82b63285b7\n\n sparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_sparc.deb\n Size/MD5 checksum: 235500 631874205d8d85378555387209a9db37\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Woody was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel,\n powerpc, s390 and sparc. An update for mipsel is not available at this\n moment.\n\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1.orig.tar.gz\n Size/MD5 checksum: 1097780 6ca8e939476e840f0ce69a3b31c13060\n http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1.diff.gz\n Size/MD5 checksum: 9939 69f96b6608e043e0d781061a22e90169\n http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1.dsc\n Size/MD5 checksum: 1217 97af60040e8d7a2cd538d18a5120cd87\n\n alpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_alpha.deb\n Size/MD5 checksum: 364338 aeade9ab45904c8b6c64fcdb5934576e\n\n arm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_arm.deb\n Size/MD5 checksum: 335972 dfe4085e95fd53be9821d1b33d79d134\n\n hppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_hppa.deb\n Size/MD5 checksum: 355790 32dd606c8dc5b3d3fc8000519009de4e\n\n i386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_i386.deb\n Size/MD5 checksum: 332394 afc976eaaf4cd416f8eedd347d18367b\n\n ia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_ia64.deb\n Size/MD5 checksum: 393540 efb82eb46927b657fa8e2706f475bf53\n\n m68k architecture (Motorola Mc680x0)\n\n http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_m68k.deb\n Size/MD5 checksum: 327236 60f0449f6d0a3b4ff76beb59f1e762d0\n\n mips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_mips.deb\n Size/MD5 checksum: 348676 af79ba0f16b12678594f15bdf49325b9\n\n powerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_powerpc.deb\n Size/MD5 checksum: 341130 0d67a5f9b284e2088847935901333888\n\n s390 architecture (IBM S/390)\n\n http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_s390.deb\n Size/MD5 checksum: 336118 c731e21474d3965c851fcb3921abe979\n\n sparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_sparc.deb\n Size/MD5 checksum: 340978 3ba4e8cdf1c96b5ba5fd7d52316d73e2\n\n\n- -- \n- ----------------------------------------------------------------------------\nDebian Security team <team@security.debian.org>\nhttp://www.debian.org/security/\nMailing-List: debian-security-announce@lists.debian.org\n\n", "edition": 2, "modified": "2002-12-12T00:00:00", "published": "2002-12-12T00:00:00", "id": "DEBIAN:DSA-209-1:42153", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2002/msg00136.html", "title": "[SECURITY] [DSA-209-1] two wget problems", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2021-01-17T13:05:14", "description": "The wget packages shipped with Red Hat Linux Advanced Server 2.1\ncontain a security bug which, under certain circumstances, can cause\nlocal files to be written outside the download directory.\n\n[Updated 09 Jan 2003] Added fixed packages for the Itanium (IA64)\narchitecture.\n\n[Updated 06 Feb 2003] Added fixed packages for Advanced Workstation\n2.1\n\nVersions of wget prior to 1.8.2-4 contain a bug that permits a\nmalicious FTP server to create or overwrite files anywhere on the\nlocal file system.\n\nFTP clients must check to see if an FTP server's response to the NLST\ncommand includes any directory information along with the list of\nfilenames required by the FTP protocol (RFC 959, section 4.1.3).\n\nIf the FTP client fails to do so, a malicious FTP server can send\nfilenames beginning with '/' or containing '/../' which can be used to\ndirect a vulnerable FTP client to write files (such as .forward,\n.rhosts, .shost, etc.) that can then be used for later attacks against\nthe client machine.\n\nAll users of wget should upgrade to the errata packages which are not\nvulnerable to this issue.\n\nThanks to Steven M. Christey for his work in discovering this issue in\ncurrent FTP clients and for providing a patched FTP server to verify\nthe new packages.", "edition": 28, "published": "2004-07-06T00:00:00", "title": "RHEL 2.1 : wget (RHSA-2002:256)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1344"], "modified": "2004-07-06T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:2.1", "p-cpe:/a:redhat:enterprise_linux:wget"], "id": "REDHAT-RHSA-2002-256.NASL", "href": "https://www.tenable.com/plugins/nessus/12334", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2002:256. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(12334);\n script_version(\"1.27\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2002-1344\");\n script_xref(name:\"RHSA\", value:\"2002:256\");\n\n script_name(english:\"RHEL 2.1 : wget (RHSA-2002:256)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The wget packages shipped with Red Hat Linux Advanced Server 2.1\ncontain a security bug which, under certain circumstances, can cause\nlocal files to be written outside the download directory.\n\n[Updated 09 Jan 2003] Added fixed packages for the Itanium (IA64)\narchitecture.\n\n[Updated 06 Feb 2003] Added fixed packages for Advanced Workstation\n2.1\n\nVersions of wget prior to 1.8.2-4 contain a bug that permits a\nmalicious FTP server to create or overwrite files anywhere on the\nlocal file system.\n\nFTP clients must check to see if an FTP server's response to the NLST\ncommand includes any directory information along with the list of\nfilenames required by the FTP protocol (RFC 959, section 4.1.3).\n\nIf the FTP client fails to do so, a malicious FTP server can send\nfilenames beginning with '/' or containing '/../' which can be used to\ndirect a vulnerable FTP client to write files (such as .forward,\n.rhosts, .shost, etc.) that can then be used for later attacks against\nthe client machine.\n\nAll users of wget should upgrade to the errata packages which are not\nvulnerable to this issue.\n\nThanks to Steven M. Christey for his work in discovering this issue in\ncurrent FTP clients and for providing a patched FTP server to verify\nthe new packages.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2002-1344\"\n );\n # http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719482\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://marc.info/?l=bugtraq&m=87602746719482\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2002:256\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected wget package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:2.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2002/12/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/02/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^2\\.1([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 2.1\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i386\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2002:256\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"wget-1.8.2-4.72\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget\");\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-07T11:51:17", "description": "A vulnerability in all versions of wget prior to and including 1.8.2\nwas discovered by Steven M. Christey. The bug permits a malicious FTP\nserver to create or overwriet files anywhere on the local file system\nby sending filenames beginning with '/' or containing '/../'. This can\nbe used to make vulnerable FTP clients write files that can later be\nused for attack against the client machine.", "edition": 25, "published": "2004-07-31T00:00:00", "title": "Mandrake Linux Security Advisory : wget (MDKSA-2002:086)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1344"], "modified": "2004-07-31T00:00:00", "cpe": ["cpe:/o:mandrakesoft:mandrake_linux:7.2", "cpe:/o:mandrakesoft:mandrake_linux:8.2", "cpe:/o:mandrakesoft:mandrake_linux:8.0", "cpe:/o:mandrakesoft:mandrake_linux:9.0", "cpe:/o:mandrakesoft:mandrake_linux:8.1", "p-cpe:/a:mandriva:linux:wget"], "id": "MANDRAKE_MDKSA-2002-086.NASL", "href": "https://www.tenable.com/plugins/nessus/13984", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2002:086. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(13984);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2002-1344\");\n script_xref(name:\"MDKSA\", value:\"2002:086\");\n\n script_name(english:\"Mandrake Linux Security Advisory : wget (MDKSA-2002:086)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Mandrake Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A vulnerability in all versions of wget prior to and including 1.8.2\nwas discovered by Steven M. Christey. The bug permits a malicious FTP\nserver to create or overwriet files anywhere on the local file system\nby sending filenames beginning with '/' or containing '/../'. This can\nbe used to make vulnerable FTP clients write files that can later be\nused for attack against the client machine.\"\n );\n # http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719482\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://marc.info/?l=bugtraq&m=87602746719482\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected wget package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2002/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"wget-1.8.2-3.1mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"wget-1.8.2-3.1mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"wget-1.8.2-3.1mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"wget-1.8.2-3.1mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"wget-1.8.2-3.1mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-06T09:46:03", "description": "Two problems have been found in the wget package as distributed in\nDebian GNU/Linux :\n\n - Stefano Zacchiroli found a buffer overrun in the\n url_filename function, which would make wget segfault on\n very long URLs\n - Steven M. Christey discovered that wget did not verify\n the FTP server response to a NLST command: it must not\n contain any directory information, since that can be\n used to make an FTP client overwrite arbitrary files.\n\nBoth problems have been fixed in version 1.5.3-3.1 for Debian\nGNU/Linux 2.2/potato and version 1.8.1-6.1 for Debian GNU/Linux\n3.0/woody.", "edition": 25, "published": "2004-09-29T00:00:00", "title": "Debian DSA-209-1 : wget - directory traversal", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1565", "CVE-2002-1344"], "modified": "2004-09-29T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:2.2", "cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:wget"], "id": "DEBIAN_DSA-209.NASL", "href": "https://www.tenable.com/plugins/nessus/15046", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-209. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15046);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2002-1344\", \"CVE-2002-1565\");\n script_bugtraq_id(6352);\n script_xref(name:\"DSA\", value:\"209\");\n\n script_name(english:\"Debian DSA-209-1 : wget - directory traversal\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Two problems have been found in the wget package as distributed in\nDebian GNU/Linux :\n\n - Stefano Zacchiroli found a buffer overrun in the\n url_filename function, which would make wget segfault on\n very long URLs\n - Steven M. Christey discovered that wget did not verify\n the FTP server response to a NLST command: it must not\n contain any directory information, since that can be\n used to make an FTP client overwrite arbitrary files.\n\nBoth problems have been fixed in version 1.5.3-3.1 for Debian\nGNU/Linux 2.2/potato and version 1.8.1-6.1 for Debian GNU/Linux\n3.0/woody.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2002/dsa-209\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected wget package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:2.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2002/12/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2002/12/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"2.2\", prefix:\"wget\", reference:\"1.5.3-3.1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"wget\", reference:\"1.8.1-6.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:06", "bulletinFamily": "software", "cvelist": ["CVE-2002-1344", "CVE-2002-1345"], "description": "\r\n\r\n___ Summary __________________________________________________________\r\n\r\n Title: Directory Traversal Vulnerabilities in FTP Clients\r\n Date: December 10, 2002\r\n Author: Steve Christey (coley@mitre.org)\r\n Revision: 1.3\r\n\r\n Product: Multiple FTP and web clients\r\n OS/Platform: Multiple\r\n Vendor: Multiple\r\nVendor Status: Vendors informed individually and through CERT/CC\r\n Risk: Medium. A malicious server could potentially overwrite\r\n key files to cause a denial of service or, in some\r\n cases, gain privileges by modifying executable files.\r\n The risk is mitigated because non-default\r\n configurations are primarily affected, and the user\r\n must be convinced to access the malicious server.\r\n However, web-based clients may be more easily exploited\r\n using server-side vulnerabilities such as XSS.\r\n\r\n\r\nFTP clients, including those that may be embedded in web clients, can\r\nbe vulnerable to certain directory traversal attacks by modified FTP\r\nservers. If successful, the attacks could allow the server to\r\noverwrite or create arbitrary files outside of the client's working\r\ndirectory, subject to file/directory permissions and the privilege\r\nlevel of the client.\r\n\r\nMultiple clients are affected. See "Test Results" for the list of\r\nclients.\r\n\r\n\r\n___ Introduction _____________________________________________________\r\n\r\n\r\nInspiration:\r\n\r\n A colleague of mine selected a bunch of files from an "ftp://" URL\r\n and copied them to a folder en masse.\r\n\r\nRealization:\r\n\r\n FTP clients haven't been reported as being vulnerable to directory\r\n traversal conditions.\r\n\r\nCorrection based on further investigation:\r\n\r\n In 1997, some FTP clients were reported as being vulnerable to\r\n directory traversal conditions [1].\r\n\r\nTheory:\r\n\r\n Some FTP clients are still vulnerable to directory traversal\r\n conditions.\r\n\r\nVerification:\r\n\r\n The task would involve creating a malicious FTP server that would\r\n send filenames with "../" and other sequences as the result of a\r\n "LIST" request, or a "multiple GET" request. The client might then\r\n download these files into some parent directory.\r\n\r\n\r\n___ Testing Methodology ______________________________________________\r\n\r\n\r\nThis methodology is a simplification of the PROTOS methodology as\r\ndeveloped by the Oulu University Secure Programming Group [2], in\r\nwhich a test suite is developed for a particular protocol, and the\r\nsuite is then used against specific implementations. The PROTOS\r\nmethodology has proven effective in finding large numbers of\r\nvulnerabilities in many different products that implement standard\r\nnetworking protocols.\r\n\r\nFor a simple test suite, the "ftp4all" FTP server was modified to\r\nreturn filenames of various forms that might cause files to be created\r\noutside a client's working directory. ftp4all was chosen because it\r\nwas easy to install and it allowed non-root users to run an FTP server\r\non a port other than 21.\r\n\r\nThe files src/ftps/list.c, serverd.c, and transfer.c were changed to\r\nproduce modified filenames, and to return the same test file for any\r\nfilename that the client requests.\r\n\r\nWhen a client sends a LIST or NLST command, the test server returns\r\nfilenames containing the following sequences:\r\n\r\n "../" - classic traversal\r\n "/path" - an absolute pathname\r\n "..\" - backslash traversal pattern (Windows systems)\r\n "C:" - Drive letter traversal (Windows systems)\r\n "..." - "triple-dot" (Windows systems, equivalent to ../..)\r\n\r\nWhen downloading a group of files using wildcards, the FTP client\r\ntypically performs an "NLST" command, reads the list of files returned\r\nby the server, and uses those filenames to make individual requests.\r\n\r\nNote that web clients may also be affected if they can process\r\n"ftp://" URLs.\r\n\r\n\r\nDemonstration Session\r\n---------------------\r\n\r\nFollowing is a simulated session to demonstrate how a vulnerable\r\nclient may behave.\r\n\r\n\r\nCLIENT> CONNECT server\r\n 220 FTP4ALL FTP server ready. Local time is Tue Oct 01, 2002 20:59.\r\n Name (server:username): test\r\n 331 Password required for test.\r\n Password:\r\n 230-Welcome, test - I have not seen you since Tue Oct 01, 2002 20:15 !\r\n 230 At the moment, there are 0 guest and 1 registered users logged in.\r\n\r\nCLIENT> pwd\r\n 257 "/" is current directory.\r\n\r\nCLIENT> ls -l\r\n 200 PORT command successful.\r\n 150 Opening ASCII mode data connection for /bin/ls.\r\n total 1\r\n -rw-r----- 0 nobody nogroup 0 Oct 01 20:11 ...\FAKEME5.txt\r\n -rw-r----- 0 nobody nogroup 0 Oct 01 20:11 ../../FAKEME2.txt\r\n -rw-r----- 0 nobody nogroup 0 Oct 01 20:11 ../FAKEME1.txt\r\n -rw-r----- 0 nobody nogroup 0 Oct 01 20:11 ..\..\FAKEME4.txt\r\n -rw-r----- 0 nobody nogroup 0 Oct 01 20:11 ..\FAKEME3.txt\r\n -rw-r----- 0 nobody nogroup 0 Oct 01 20:11 /tmp/ftptest/FAKEME6.txt\r\n -rw-r----- 0 nobody nogroup 0 Oct 01 20:11 C:\temp\FAKEME7.txt\r\n -rw-r----- 0 nobody nogroup 54 Oct 01 20:10 FAKEFILE.txt\r\n -rw-r----- 0 nobody nogroup 0 Oct 01 20:11 misc.txt\r\n 226 Directory listing completed.\r\n\r\n\r\nCLIENT> GET *.txt\r\n\r\n Opening ASCII data connection for FAKEFILE.txt...\r\n Saving as "FAKEFILE.txt"\r\n\r\n Opening ASCII data connection for ../../FAKEME2.txt...\r\n Saving as "../../FAKEME2.txt"\r\n\r\n Opening ASCII data connection for /tmp/ftptest/FAKEME6.txt...\r\n Saving as "/tmp/ftptest/FAKEME6.txt"\r\n\r\n [etc.]\r\n\r\n\r\nIf a client is vulnerable, it saves files outside of the user's\r\ncurrent working directory.\r\n\r\n\r\nTesting Notes\r\n-------------\r\n\r\nFor command-line FTP clients, the client was tested in the following\r\nfashion:\r\n\r\n - log onto FTP server\r\n - set no-interactive prompt\r\n - perform "mget" (multiple GET) or equivalent command\r\n\r\n\r\nIn some cases, an FTP client would produce an error as soon as it\r\nencountered a suspicious filename, and skip the remaining filenames.\r\nThus one could not be certain if the client was vulnerable to other\r\nfilenames. If a client demonstrated this behavior, then the server\r\nwas modified to send a single suspicious filename at a time, and the\r\nclient would be executed multiple times.\r\n\r\nOther variants of directory traversal sequences were not tested, as\r\nthere were not sufficient resources to conduct such a comprehensive\r\nanalysis in a timely fashion. See [3] for examples.\r\n\r\nIt is possible that web clients may be vulnerable to the same type of\r\nissue from malicious HTTP servers, when the clients are used to\r\nautomatically download web pages. However, this was not tested.\r\n\r\n\r\n___ Test Results _____________________________________________________\r\n\r\n\r\nThe following products were specifically tested by the author.\r\nDescriptions of this class of problem were reported to CERT/CC and\r\nmajor vendors. Most vendors did not report results back to the\r\nauthor. Consult your vendor, or the associated CERT vulnerability\r\nnote, if your product is not listed here.\r\n\r\n\r\nVulnerable:\r\n\r\n Product ../ ..\ C: /path ...\r\n ------------- --- --- --- ----- ---\r\n wget 1.8.1 yes no no yes{4} no\r\n wget 1.7.1 yes no no no{2} no\r\n OpenBSD 3.0 FTP yes no{1} no{1} yes no\r\n Solaris 2.6, 7 yes no no yes no\r\n\r\n The ftp command on SGI systems is also subject to one or more\r\n flavors of directory traversal attacks. However, details were not\r\n available at the time that this advisory was published.\r\n\r\n\r\nNot Vulnerable:\r\n\r\n Product ../ ..\ C: /path ...\r\n ------------- --- --- --- ----- ---\r\n Red Hat 7.1 no{3} no{3} no{3} no{3} no\r\n Debian 2.4.16 no{3} no{3} no{3} no{3} no\r\n NT SP5 command line no no no no no\r\n XP command (no SP) no no no no no\r\n lftp 2.6.2 no no{1} no{1} no no\r\n NcFTP 3.1.4 no no no no no\r\n Lynx 2.8.1 [FTP traversal not available]\r\n\r\n\r\nNotes:\r\n\r\n {1} installed the file in the current directory\r\n\r\n {2} created subdirectories within the current directory\r\n\r\n {3} generated error message and/or stopped downloading\r\n\r\n {4} only with the -nH option ("Disable host-prefixed directories")\r\n\r\n\r\nOther notes on wget:\r\n\r\n 1) "wget" was tested with the -r (recursive) option.\r\n\r\n 2) When provided with an FTP URL on the command line, it is subject\r\n to "../" traversal\r\n\r\n 3) If there's an FTP link within a web page, it will not follow the\r\n links, and is not subject to traversal\r\n\r\n 4) HOWEVER, if the --follow-ftp option is used, it is subject to\r\n "../" traversal\r\n\r\n 5) When both --follow-ftp and -nH are used, wget is also subject to\r\n "/path" traversal\r\n\r\n 6) wget 1.7.1 was not tested for the -nH absolute path issue, or for\r\n FTP URL's in web pages\r\n\r\n\r\n___ Patches, Workarounds, and Vendor Statements ______________________\r\n\r\n\r\nWorkarounds:\r\n\r\n Some clients may have one or more of the following features. If so,\r\n then enabling these features could notify the user if an attack\r\n occurs, and allow the user to take defensive action.\r\n\r\n These features may be explicitly disabled if the client is being\r\n called from a script or other program that does not require user\r\n intervention.\r\n\r\n 1) The user may be able to set the client to prompt the user when an\r\n existing file is to be overwritten. This is typically a default\r\n behavior.\r\n\r\n 2) A command such as "runique" may be available to force the client\r\n to use a different filename instead of overwriting an existing\r\n file.\r\n\r\n\r\nSun FTP client:\r\n\r\n Statement from Sun\r\n ------------------\r\n\r\n We have investigated this directory traversal issue and do not\r\n think it is a bug. \r\n \r\n The user has several means of protection against this issue.\r\n\r\n 1. By default prompting is turned on, so the user gets a chance to\r\n decide if they want a file returned by mget before it is\r\n downloaded. So files will not be overwritten without prompting the\r\n user.\r\n\r\n 2. When running as an ordinary user, Unix access controls will stop\r\n system files being over written. If a user must run as root, care\r\n needs to be taken which would include not turning off interactive\r\n mode.\r\n\r\n 3. The user may run the "runique" command to force the Solaris ftp\r\n client to avoid overwriting files that already exist.\r\n\r\n The Solaris ftp mget behaviour is consistent with other BSD derived\r\n ftp clients, for example on Linux and FreeBSD. Changing the\r\n existing behaviour will cause problems.\r\n\r\n\r\nSGI FTP client:\r\n\r\n SGI acknowledged the vulnerability via email and is likely to have a\r\n public acknowledgement near the time of this disclosure.\r\n\r\n\r\nOpenBSD:\r\n\r\n Vendor statement (Theo de Raadt):\r\n\r\n "I've forwarded the report to the person who copes with that\r\n stuff. I do not consider this all that serious."\r\n\r\nwget:\r\n\r\n Red Hat Linux has released advisory RHSA-2002:229 at:\r\n http://www.redhat.com/support/errata/RHSA-2002-229.html\r\n\r\n The status of other Linux vendors was unknown at the time this\r\n advisory was published.\r\n\r\n\r\n\r\n___ Vulnerability Identifiers ________________________________________\r\n\r\n\r\nThe following identifiers have been assigned to these issues.\r\n\r\n wget:\r\n\r\n CVE - CAN-2002-1344 [4]\r\n CERT VU - VU#210148 [5]\r\n\r\n FTP command-line clients (UNIX):\r\n\r\n CVE - CAN-2002-1345 [6]\r\n CERT VU - VU#210409 [7]\r\n\r\nThe CVE numbers were assigned by the Common Vulnerabilities and\r\nExposures (CVE) project. These are candidates for inclusion in the\r\nCVE list, which standardizes names for security problems\r\n(http://cve.mitre.org).\r\n\r\nThe CERT VU numbers were assigned by CERT/CC and will be accessible in\r\nthe Vulnerability Notes database (http://www.kb.cert.org/vuls).\r\n\r\nAdditional identifiers will be assigned to separate packages if\r\nnecessary.\r\n\r\n\r\n___ Research and Disclosure History __________________________________\r\n\r\nThe disclosure of this issue has been conducted in accordance with the\r\nChristey/Wysopal "Responsible Vulnerability Disclosure Process" draft,\r\nwhich has expired [8].\r\n\r\nSince multiple vendors and products were affected, the research and\r\ndisclosure history for this issue is extensive. The total amount of\r\ntime required for research, vendor notification, and coordination is\r\nestimated to be 50 hours.\r\n\r\n\r\nResearch and General Notification\r\n---------------------------------\r\nSep 25, 2002 - issue theorized\r\nSep 27, 2002 - modified FTP server created; initial tests\r\nOct 1, 2002 - notified vendor-sec with various responses\r\nOct 10, 2002 - sent update to CERT/CC\r\nOct 11, 2002 - CERT/CC reply\r\nDec 2, 2002 - notified CERT/CC of status\r\nDec 2, 2002 - set release date of December 10, notified all parties\r\nDec 5, 2002 - received CERT ID (VU#210409) for issue\r\nDec 9, 2002 - more edits\r\nDec 9, 2002 - CVE ID's sent to vendor-sec\r\n\r\n\r\nSun (CVE: CAN-2002-1345)\r\n------------------------\r\nSep 27, 2002 - Sun ftp client issue discovered\r\nSep 30, 2002 - Notified Sun\r\nSep 30, 2002 - CERT/CC notified of Sun issue\r\nOct 1, 2002 - initial response from Sun (within 1 day)\r\nOct 1, 2002 - provided fake FTP server to Sun\r\nOct 7, 2002 - additional info from Sun\r\nNov 18, 2002 - response from Sun; will not address issue, as other\r\n protections are already available\r\nDec 2, 2002 - suggested "vendor statement" to Sun\r\nDec 4, 2002 - Sun provides final statement\r\n\r\n\r\nSGI (CVE: CAN-2002-1345)\r\n------------------------\r\nOct 1, 2002 - provided fake FTP server to SGI\r\nNov 5, 2002 - inquiry by SGI on release status\r\nNov 27, 2002 - SGI inquires about release date\r\nDec 2, 2002 - response to SGI; set release to Dec 10?\r\nDec 9, 2002 - CVE candidate acquired, sent to SGI\r\n\r\n\r\nOpenBSD (CVE: CAN-2002-1345)\r\n----------------------------\r\nOct 1, 2002 - OpenBSD client issue discovered\r\nOct 1, 2002 - notified OpenBSD (deraadt@openbsd.org)\r\nDec 2, 2002 - second notification to OpenBSD\r\nDec 2, 2002 - response from Theo de Raadt (original message was lost)\r\nDec 2, 2002 - report forwarded to other OpenBSD maintainers\r\n\r\n\r\nwget (CVE: CAN-2002-1344)\r\n--------------------------\r\nNote: notification and resolution of the wget issue was handled\r\nprimarily through Mark Cox of Red Hat Linux, not the package\r\nmaintainer.\r\n\r\nSep 30, 2002 - wget issue discovered\r\nSep 30, 2002 - notified Mark Cox (Red Hat) of wget issue\r\nOct 1, 2002 - found wget absolute path issue\r\nOct 2, 2002 - provided fake web server to Red Hat\r\nOct 6, 2002 - notified wget developer (hniksic@arsdigita.com)\r\nNov 7, 2002 - inquiry by Red Hat on release status for wget; still\r\n haven't heard back from hniksic@arsdigita.com, need to\r\n consider other options\r\nNov 25, 2002 - Red Hat notifies that wget patches are ready\r\nDec 2, 2002 - notification to wget developer; new email address\r\n found by Red Hat; developer is mostly inactive\r\nDec 9, 2002 - CVE ID acquired, sent to Red Hat\r\n\r\n\r\nOther Activities\r\n----------------\r\nOct 1, 2002 - provided fake FTP server to Solar Designer\r\nOct 1, 2002 - briefly tested lftp\r\nOct 9, 2002 - received report that ncftp is vulnerable to /abs/path\r\n in the -R option; checked 3.1.4, doesn't seem to be an\r\n issue - "-R /" is interpreted as / on local system, so\r\n all pathnames would be "legal"; no response to followup\r\n\r\n\r\n___ References _______________________________________________________\r\n\r\n\r\n[1] "security hole in mget (in ftp client)"\r\n mhpower@MIT.EDU\r\n Bugtraq mailing list\r\n August 5, 1997\r\n http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719482&w=2\r\n\r\n[2] OUSPG: Oulu University Secure Programming Group\r\n http://www.ee.oulu.fi/research/ouspg/index.html\r\n\r\n[3] "A 'straw man' vulnerability auditing checklist"\r\n Steve Christey\r\n SecProg mailing list\r\n December 5, 2002\r\n http://marc.theaimsgroup.com/?l=secprog&m=103911851613670&w=2\r\n\r\n[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1344\r\n\r\n[5] http://www.kb.cert.org/vuls/id/210148\r\n\r\n[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1344\r\n\r\n[7] http://www.kb.cert.org/vuls/id/210409\r\n\r\n[8] http://www.wiretrip.net/rfp/p/doc.asp/i2/d73.htm\r\n\r\n\r\n\r\n___ EOF ______________________________________________________________", "edition": 1, "modified": "2002-12-11T00:00:00", "published": "2002-12-11T00:00:00", "id": "SECURITYVULNS:DOC:3861", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:3861", "title": "Directory Traversal Vulnerabilities in FTP Clients", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:06", "bulletinFamily": "software", "cvelist": ["CVE-2002-1344", "CVE-2002-1345"], "description": "The following security advisory is sent to the securiteam mailing list, and can be found\r\nat the SecuriTeam web site: http://www.securiteam.com\r\n- - promotion\r\n\r\nBeyond Security would like to welcome Tiscali World Online\r\nto our service provider team.\r\nFor more info on their service offering IP-Secure, \r\nplease visit http://www.worldonline.co.za/services/work_ip.asp\r\n- - - - - - - - -\r\n\r\n\r\n\r\n Directory Traversal Vulnerabilities in FTP Clients\r\n------------------------------------------------------------------------\r\n\r\n\r\nSUMMARY\r\n\r\nFTP clients, including those that may be embedded in web clients, can be \r\nvulnerable to certain directory traversal attacks by modified FTP servers. \r\nIf successful, the attacks could allow the server to overwrite or create \r\narbitrary files outside of the client's working directory, subject to \r\nfile/directory permissions and the privilege level of the client.\r\n\r\nMultiple clients are affected. See "Test Results" for the list of clients.\r\n\r\nDETAILS\r\n\r\nVulnerable:\r\n Product ../ ..\ C: /path ...\r\n ------------- --- --- --- ----- ---\r\n wget 1.8.1 yes no no yes{4} no\r\n wget 1.7.1 yes no no no{2} no\r\n OpenBSD 3.0 FTP yes no{1} no{1} yes no\r\n Solaris 2.6, 7 yes no no yes no\r\n\r\nThe ftp command on SGI systems is also subject to one or more flavors of \r\ndirectory traversal attacks. However, details were not available at the \r\ntime that this advisory was published.\r\n\r\nNot Vulnerable:\r\n Product ../ ..\ C: /path ...\r\n ------------- --- --- --- ----- ---\r\n Red Hat 7.1 no{3} no{3} no{3} no{3} no\r\n Debian 2.4.16 no{3} no{3} no{3} no{3} no\r\n NT SP5 command line no no no no no\r\n XP command (no SP) no no no no no\r\n lftp 2.6.2 no no{1} no{1} no no\r\n NcFTP 3.1.4 no no no no no\r\n Lynx 2.8.1 [FTP traversal not available]\r\n\r\nNotes:\r\n{1} installed the file in the current directory\r\n{2} created subdirectories within the current directory\r\n{3} generated error message and/or stopped downloading\r\n{4} only with the -nH option ("Disable host-prefixed directories")\r\n\r\nOther notes on wget:\r\n1) "wget" was tested with the -r (recursive) option.\r\n2) When provided with an FTP URL on the command line, it is subject to \r\n"../" traversal\r\n3) If there's an FTP link within a web page, it will not follow the links, \r\nand is not subject to traversal\r\n4) HOWEVER, if the --follow-ftp option is used, it is subject to "../" \r\ntraversal\r\n5) When both --follow-ftp and -nH are used, wget is also subject to \r\n"/path" traversal\r\n6) wget 1.7.1 was not tested for the -nH absolute path issue, or for FTP \r\nURL's in web pages\r\n\r\nVendor response:\r\nVendors informed individually and through CERT/CC\r\n\r\nRisk:\r\nA malicious server could potentially overwrite key files to cause a denial \r\nof service or, in some cases, gain privileges by modifying executable \r\nfiles. The risk is mitigated because non-default configurations are \r\nprimarily affected, and the user must be convinced to access the malicious \r\nserver. However, web-based clients may be more easily exploited using \r\nserver-side vulnerabilities such as XSS.\r\n\r\nVerification:\r\nThe task would involve creating a malicious FTP server that would send \r\nfilenames with "../" and other sequences as the result of a "LIST" \r\nrequest, or a "multiple GET" request. The client might then download these \r\nfiles into some parent directory.\r\n\r\nTesting Methodology:\r\nThis methodology is a simplification of the PROTOS methodology as \r\ndeveloped by the Oulu University Secure Programming Group [2], in which a \r\ntest suite is developed for a particular protocol, and the suite is then \r\nused against specific implementations. The PROTOS methodology has proven \r\neffective in finding large numbers of vulnerabilities in many different \r\nproducts that implement standard networking protocols.\r\n\r\nFor a simple test suite, the "ftp4all" FTP server was modified to return \r\nfilenames of various forms that might cause files to be created outside a \r\nclient's working directory. ftp4all was chosen because it was easy to \r\ninstall and it allowed non-root users to run an FTP server on a port other \r\nthan 21.\r\n\r\nThe files src/ftps/list.c, serverd.c, and transfer.c were changed to \r\nproduce modified filenames, and to return the same test file for any \r\nfilename that the client requests.\r\n\r\nWhen a client sends a LIST or NLST command, the test server returns \r\nfilenames containing the following sequences:\r\n\r\n "../" - classic traversal\r\n "/path" - an absolute pathname\r\n "..\" - backslash traversal pattern (Windows systems)\r\n "C:" - Drive letter traversal (Windows systems)\r\n "..." - "triple-dot" (Windows systems, equivalent to ../..)\r\n\r\nWhen downloading a group of files using wildcards, the FTP client \r\ntypically performs an "NLST" command, reads the list of files returned by \r\nthe server, and uses those filenames to make individual requests. \r\n\r\nNote that web clients may also be affected if they can process "ftp://" \r\nURLs.\r\n\r\nDemonstration Session:\r\nFollowing is a simulated session to demonstrate how a vulnerable client \r\nmay behave.\r\n\r\n\r\nCLIENT> CONNECT server\r\n 220 FTP4ALL FTP server ready. Local time is Tue Oct 01, 2002 20:59.\r\n Name (server:username): test\r\n 331 Password required for test.\r\n Password:\r\n 230-Welcome, test - I have not seen you since Tue Oct 01, 2002 20:15 !\r\n 230 At the moment, there are 0 guest and 1 registered users logged in.\r\n\r\nCLIENT> pwd\r\n 257 "/" is current directory.\r\n\r\nCLIENT> ls -l\r\n 200 PORT command successful.\r\n 150 Opening ASCII mode data connection for /bin/ls.\r\n total 1\r\n -rw-r----- 0 nobody nogroup 0 Oct 01 20:11 ...\FAKEME5.txt\r\n -rw-r----- 0 nobody nogroup 0 Oct 01 20:11 \r\n./../FAKEME2.txt\r\n -rw-r----- 0 nobody nogroup 0 Oct 01 20:11 ../FAKEME1.txt\r\n -rw-r----- 0 nobody nogroup 0 Oct 01 20:11 \r\n.\..\FAKEME4.txt\r\n -rw-r----- 0 nobody nogroup 0 Oct 01 20:11 ..\FAKEME3.txt\r\n -rw-r----- 0 nobody nogroup 0 Oct 01 20:11 \r\n/tmp/ftptest/FAKEME6.txt\r\n -rw-r----- 0 nobody nogroup 0 Oct 01 20:11 \r\nC:\temp\FAKEME7.txt\r\n -rw-r----- 0 nobody nogroup 54 Oct 01 20:10 FAKEFILE.txt\r\n -rw-r----- 0 nobody nogroup 0 Oct 01 20:11 misc.txt\r\n 226 Directory listing completed.\r\n\r\n\r\nCLIENT> GET *.txt\r\n\r\n Opening ASCII data connection for FAKEFILE.txt...\r\n Saving as "FAKEFILE.txt"\r\n\r\n Opening ASCII data connection for ../../FAKEME2.txt...\r\n Saving as "../../FAKEME2.txt"\r\n\r\n Opening ASCII data connection for /tmp/ftptest/FAKEME6.txt...\r\n Saving as "/tmp/ftptest/FAKEME6.txt"\r\n\r\n [etc.]\r\n\r\nIf a client is vulnerable, it saves files outside of the user's current \r\nworking directory.\r\n\r\nTesting Notes:\r\nFor command-line FTP clients, the client was tested in the following \r\nfashion:\r\n\r\n - log onto FTP server\r\n - set no-interactive prompt\r\n - perform "mget" (multiple GET) or equivalent command\r\n\r\nIn some cases, an FTP client would produce an error as soon as it \r\nencountered a suspicious filename, and skip the remaining filenames. Thus \r\none could not be certain if the client was vulnerable to other filenames. \r\nIf a client demonstrated this behavior, then the server was modified to \r\nsend a single suspicious filename at a time, and the client would be \r\nexecuted multiple times.\r\n\r\nOther variants of directory traversal sequences were not tested, as there \r\nwere not sufficient resources to conduct such a comprehensive analysis in \r\na timely fashion. See [3] for examples.\r\n\r\nIt is possible that web clients may be vulnerable to the same type of \r\nissue from malicious HTTP servers, when the clients are used to \r\nautomatically download web pages. However, this was not tested. \r\n\r\nTest Results:\r\nThe following products were specifically tested by the author. \r\nDescriptions of this class of problem were reported to CERT/CC and major \r\nvendors. Most vendors did not report results back to the author. Consult \r\nyour vendor, or the associated CERT vulnerability note, if your product is \r\nnot listed here.\r\n\r\nPatches, Workarounds, and Vendor Statements:\r\nWorkarounds:\r\nSome clients may have one or more of the following features. If so, then \r\nenabling these features could notify the user if an attack occurs, and \r\nallow the user to take defensive action.\r\n\r\nThese features may be explicitly disabled if the client is being called \r\nfrom a script or other program that does not require user intervention.\r\n\r\n1) The user may be able to set the client to prompt the user when an \r\nexisting file is to be overwritten. This is typically a default behavior.\r\n\r\n2) A command such as "runique" may be available to force the client to use \r\na different filename instead of overwriting an existing file.\r\n\r\nSun FTP client:\r\nStatement from Sun\r\nWe have investigated this directory traversal issue and do not think it is \r\na bug. \r\n\r\nThe user has several means of protection against this issue.\r\n\r\n1. By default prompting is turned on, so the user gets a chance to decide \r\nif they want a file returned by mget before it is downloaded. So files \r\nwill not be overwritten without prompting the user.\r\n\r\n2. When running as an ordinary user, UNIX access controls will stop system \r\nfiles being over written. If a user must run as root, care needs to be \r\ntaken which would include not turning off interactive mode.\r\n\r\n3. The user may run the "runique" command to force the Solaris ftp client \r\nto avoid overwriting files that already exist. \r\n\r\nThe Solaris ftp mget behaviour is consistent with other BSD derived ftp \r\nclients, for example on Linux and FreeBSD. Changing the existing behaviour \r\nwill cause problems.\r\n\r\nSGI FTP client:\r\nSGI acknowledged the vulnerability via email and is likely to have a \r\npublic acknowledgement near the time of this disclosure.\r\n\r\nOpenBSD:\r\nVendor statement (Theo de Raadt):\r\n"I've forwarded the report to the person who copes with that stuff. I do \r\nnot consider this all that serious."\r\n\r\nwget:\r\nRed Hat Linux has released advisory RHSA-2002:229 at: \r\n<http://www.redhat.com/support/errata/RHSA-2002-229.html> \r\nhttp://www.redhat.com/support/errata/RHSA-2002-229.html\r\n\r\nThe status of other Linux vendors was unknown at the time this advisory \r\nwas published.\r\n\r\nResearch and Disclosure History:\r\nThe disclosure of this issue has been conducted in accordance with the \r\nChristey/Wysopal "Responsible Vulnerability Disclosure Process" draft, \r\nwhich has expired [8].\r\n\r\nSince multiple vendors and products were affected, the research and \r\ndisclosure history for this issue is extensive. The total amount of time \r\nrequired for research, vendor notification, and coordination is estimated \r\nto be 50 hours.\r\n\r\nResearch and General Notification:\r\nSep 25, 2002 - issue theorized\r\nSep 27, 2002 - modified FTP server created; initial tests\r\nOct 1, 2002 - notified vendor-sec with various responses\r\nOct 10, 2002 - sent update to CERT/CC\r\nOct 11, 2002 - CERT/CC reply\r\nDec 2, 2002 - notified CERT/CC of status\r\nDec 2, 2002 - set release date of December 10, notified all parties\r\nDec 5, 2002 - received CERT ID (VU#210409) for issue\r\nDec 9, 2002 - more edits\r\nDec 9, 2002 - CVE ID's sent to vendor-sec\r\n\r\nSun (CVE: CAN-2002-1345)\r\nSep 27, 2002 - Sun ftp client issue discovered\r\nSep 30, 2002 - Notified Sun\r\nSep 30, 2002 - CERT/CC notified of Sun issue\r\nOct 1, 2002 - initial response from Sun (within 1 day)\r\nOct 1, 2002 - provided fake FTP server to Sun\r\nOct 7, 2002 - additional info from Sun\r\nNov 18, 2002 - response from Sun; will not address issue, as other \r\nprotections are already available\r\nDec 2, 2002 - suggested "vendor statement" to Sun\r\nDec 4, 2002 - Sun provides final statement\r\n\r\nSGI (CVE: CAN-2002-1345)\r\nOct 1, 2002 - provided fake FTP server to SGI\r\nNov 5, 2002 - inquiry by SGI on release status\r\nNov 27, 2002 - SGI inquires about release date\r\nDec 2, 2002 - response to SGI; set release to Dec 10?\r\nDec 9, 2002 - CVE candidate acquired, sent to SGI\r\n\r\nOpenBSD (CVE: CAN-2002-1345)\r\nOct 1, 2002 - OpenBSD client issue discovered\r\nOct 1, 2002 - notified OpenBSD (deraadt@openbsd.org)\r\nDec 2, 2002 - second notification to OpenBSD\r\nDec 2, 2002 - response from Theo de Raadt (original message was lost)\r\nDec 2, 2002 - report forwarded to other OpenBSD maintainers\r\n\r\nwget (CVE: CAN-2002-1344)\r\nNote: notification and resolution of the wget issue was handled primarily \r\nthrough Mark Cox of Red Hat Linux, not the package maintainer.\r\n\r\nSep 30, 2002 - wget issue discovered\r\nSep 30, 2002 - notified Mark Cox (Red Hat) of wget issue\r\nOct 1, 2002 - found wget absolute path issue\r\nOct 2, 2002 - provided fake web server to Red Hat\r\nOct 6, 2002 - notified wget developer (hniksic@arsdigita.com)\r\nNov 7, 2002 - inquiry by Red Hat on release status for wget; still haven't \r\nheard back from hniksic@arsdigita.com, need to consider other options\r\nNov 25, 2002 - Red Hat notifies that wget patches are ready\r\nDec 2, 2002 - notification to wget developer; new email address found by \r\nRed Hat; developer is mostly inactive\r\nDec 9, 2002 - CVE ID acquired, sent to Red Hat\r\n\r\nOther Activities\r\nOct 1, 2002 - provided fake FTP server to Solar Designer\r\nOct 1, 2002 - briefly tested lftp\r\nOct 9, 2002 - received report that ncftp is vulnerable to /abs/path in the \r\n-R option; checked 3.1.4, doesn't seem to be an issue - "-R /" is \r\ninterpreted as / on local system, so all pathnames would be "legal"; no \r\nresponse to followup \r\n\r\n\r\nADDITIONAL INFORMATION\r\n\r\nReferences:\r\n[1] "security hole in mget (in ftp client)" mhpower@MIT.EDU Bugtraq \r\nmailing list August 5, 1997 \r\n<http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719482&w=2> \r\nhttp://marc.theaimsgroup.com/?l=bugtraq&m=87602746719482&w=2\r\n\r\n[2] OUSPG: Oulu University Secure Programming Group \r\n<http://www.ee.oulu.fi/research/ouspg/index.html> \r\nhttp://www.ee.oulu.fi/research/ouspg/index.html\r\n\r\n[3] "A 'straw man' vulnerability auditing checklist" Steve Christey \r\nSecProg mailing list December 5, 2002 \r\n<http://marc.theaimsgroup.com/?l=secprog&m=103911851613670&w=2> \r\nhttp://marc.theaimsgroup.com/?l=secprog&m=103911851613670&w=2\r\n\r\n[4] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1344> \r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1344\r\n\r\n[5] <http://www.kb.cert.org/vuls/id/210148> \r\nhttp://www.kb.cert.org/vuls/id/210148\r\n\r\n[6] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1344> \r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1344\r\n\r\n[7] <http://www.kb.cert.org/vuls/id/210409> \r\nhttp://www.kb.cert.org/vuls/id/210409\r\n\r\n[8] <http://www.wiretrip.net/rfp/p/doc.asp/i2/d73.htm> \r\nhttp://www.wiretrip.net/rfp/p/doc.asp/i2/d73.htm\r\n\r\nThe information has been provided by <mailto:coley@mitre.org> Steve \r\nChristey.\r\n\r\n\r\n\r\n======================================== \r\n\r\n\r\nThis bulletin is sent to members of the SecuriTeam mailing list. \r\nTo unsubscribe from the list, send mail with an empty subject line and body to:\r\nlist-unsubscribe@securiteam.com \r\nIn order to subscribe to the mailing list, simply forward this email to:\r\nlist-subscribe@securiteam.com \r\n\r\n\r\n==================== \r\n==================== \r\n\r\nDISCLAIMER: \r\nThe information in this bulletin is provided "AS IS" without warranty of any kind. \r\nIn no event shall we be liable for any damages whatsoever including direct, indirect,\r\nincidental, consequential, loss of business profits or special damages. \r\n\r\n\r\n\r\n", "edition": 1, "modified": "2002-12-11T00:00:00", "published": "2002-12-11T00:00:00", "id": "SECURITYVULNS:DOC:3855", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:3855", "title": "[NEWS] Directory Traversal Vulnerabilities in FTP Clients", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}
