HackDig : Dig high-quality web security articles for hacker

[CVE-2016-7098] GNU Wget < 1.18 Access List Bypass / Race Condition

2016-11-25 09:15
Vulnerability: GNU Wget < 1.18  Access List Bypass / Race Condition
CVE-2016-7098

Discovered by: Dawid Golunski (@dawid_golunski)
https://legalhackers.com

Severity: Medium

GNU wget in version 1.17 and earlier, when used in mirroring/recursive mode,
is affected by a Race Condition vulnerability that might allow remote attackers
to bypass intended wget access list restrictions specified with -A parameter.
This might allow attackers to place malicious/restricted files onto the system.
Depending on the application / download directory, this could potentially lead
to other vulnerabilities such as code execution etc.

The full advisory and a PoC exploit can be found at:

https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html

For updates, follow:

https://twitter.com/dawid_golunski


--
Regards,
Dawid Golunski
https://legalhackers.com
t: @dawid_golunski

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


Source: 141/voN/6102/erusolcsidlluf/gro.stsilces

Read:1828 | Comments:0 | Tags:No Tag

“[CVE-2016-7098] GNU Wget < 1.18 Access List Bypass / Race Condition”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud