[oCERT-2010-001] multiple http client unexpected download filename vulnerability




#2010-001 multiple http client unexpected download filename vulnerability

Description:

The lftp, wget and lwp-download applications are ftp/http clients and file
transfer tools supporting various network protocols. The lwp-download
script is shipped along with the libwww-perl library.

Unsafe behaviours have been found in lftp and lwp-download handling the
Content-Disposition header in conjunction with the 'suggested filename'
functionality.

Additionally, unsafe behaviours have been found in wget and lwp-download in
the case of HTTP 3xx redirections during file downloading. The two
applications automatically use the URL's filename portion specified in the
Location header.

Implicitly trusting the suggested filenames results in a saved file that
differs from the expected one according to the URL specified by the user.
This can be used by an attacker-controlled server to silently write hidden
and/or initialization files under the user's current directory
(e.g. .login, .bashrc).

The impact of this vulnerability is increased in the case of lftp/lftpget
as the default configuration allows file to be overwritten without
prompting the user for confirmation. In the case of lftp the get1 command
is affected. This command can be invoked directly by the user from lftp's
command line interface or indirectly by using the lftpget script, packaged
within the lftp distribution.

Affected version:

lftp <= 4.0.5

wget <= 1.12

libwww-perl <= 5.834

Fixed version:

lftp >= 4.0.6

wget N/A

libwww-perl >= 5.835

Credit: Vulnerability discovered and reported by Hank Leininger and Solar
Designer under the Openwall Project, with further analysis by
Daniele Bianco of oCERT.

CVE: N/A

Timeline:

2009-10-23: vulnerability report received
2010-01-08: further investigations and analysis completed
2010-01-10: contacted wget, libwww-perl and lftp maintainers
2010-01-11: wget didn't acknowledge the report, the issues reported have
not been considered relevant from a security perspective by
the maintainer
2010-01-21: lftp acknowledged the report, preliminary analysis for the
reported issues provided
2010-02-06: wget confirmed the application will not be fixed
2010-02-08: libwww-perl acknowledged the report, preliminary analysis for
the reported issues provided
2010-03-25: lftp 4.0.6 released
2010-05-05: libwww-perl-5.836 released
2010-05-10: contacted affected vendors
2010-05-14: failure reported during notification process of vendor-sec
list, notification re-sent
2010-05-17: advisory published

Permalink:
http://www.ocert.org/advisories/ocert-2010-001.html

--
Daniele Bianco oCERT | Open Source Computer Emergency Response Team
<danbia@xxxxxxxxx> http://www.ocert.org

GPG Key 0x4545E02B
GPG Key fingerprint = 3706 0361 56B2 61B1 B873 E400 353D 54F4 4545 E02B



Relevant Pages

  • Re: NcFTP - password leaking
    ... Wget and lftp have the very same ... "vulnerability" then ncftp or lftp. ...
    (Bugtraq)
  • Re: how to set network io priority for a process?
    ... I've got lftp installed but haven't tried it. ... wget is for script use. ... If lftp had a download queue that was persistant between invocations, ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)
  • Re: Off-line HTTP downloader
    ... Alan Connor wrote: ... >> wget and lftp are probably what you are looking for. ... > a google search page. ...
    (comp.os.linux.misc)
  • Re: fetching dvd images of 3.1
    ... fetching with wget results ... lftp did the same for me, ... Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org ...
    (Debian-User)