[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] [CVE-2016-7098] GNU Wget < 1.18 Access List Bypass / Race Condition
From: Dawid Golunski <dawid () legalhackers ! com>
Date: 2016-11-24 3:52:50
Message-ID: CADSYzss+6tT48nzFfGLiiY+bOQUKK-2_1GFZUMQ=dG7dqGD-xg () mail ! gmail ! com
[Download RAW message or body]
Vulnerability: GNU Wget < 1.18 Access List Bypass / Race Condition
CVE-2016-7098
Discovered by: Dawid Golunski (@dawid_golunski)
https://legalhackers.com
Severity: Medium
GNU wget in version 1.17 and earlier, when used in mirroring/recursive mode,
is affected by a Race Condition vulnerability that might allow remote attackers
to bypass intended wget access list restrictions specified with -A parameter.
This might allow attackers to place malicious/restricted files onto the system.
Depending on the application / download directory, this could potentially lead
to other vulnerabilities such as code execution etc.
The full advisory and a PoC exploit can be found at:
https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html
For updates, follow:
https://twitter.com/dawid_golunski
--
Regards,
Dawid Golunski
https://legalhackers.com
t: @dawid_golunski
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic