The Internet Dodges Another Bullet With Wget Flaw

“It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP,” developer Vasyl Kaigorodov wrote in a Red Hat Bugzilla comment. –

via The Internet Dodges Another Bullet With Wget Flaw.

Wget is a linux command that allows a shell script to download a web page and store it to a file.  This bug pertains to using a URL to do File Transfer Protocol (FTP) and not HTTP which is what wget was designed for.  Here are a couple more snippets of this bug.

“Random bug found by accident, but the implication is that the FTP server can overwrite your entire filesystem,” Moore tweeted to eWEEK.

Don’t use wget for ftp.  Don’t run wget with root permissions.

So just to recap here, Wget is on nearly every Linux server in the world, and it had a flaw that could have enabled anyone to overwrite directories on a server. That’s very serious.

You should only use wget for http downloads.  This doesn’t sound like one of those Internet Dodges a Bullet problems.

Reporters use Google, find breach, get branded as “hackers”

Call it security through absurdity: a pair of telecom firms have branded reporters for Scripps News as “hackers” after they discovered the personal data of over 170,000 customers—including social security numbers and other identifying data that could be used for identity theft—sitting on a publicly accessible server. While the reporters claim to have discovered the data with a simple Google search, the firms’ lawyer claims they used “automated” means to gain access to the company’s confidential data and that in doing so the reporters violated the Computer Fraud and Abuse Act with their leet hacker skills.

via Reporters use Google, find breach, get branded as “hackers” | Ars Technica.