Vulnerabilities > CVE-2002-1344

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
gnu
sun
nessus

Summary

Directory traversal vulnerability in wget before 1.8.2-4 allows a remote FTP server to create or overwrite files as the wget user via filenames containing (1) /absolute/path or (2) .. (dot dot) sequences.

Vulnerable Configurations

Part Description Count
Application
Gnu
7
Hardware
Sun
1

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2002-256.NASL
    descriptionThe wget packages shipped with Red Hat Linux Advanced Server 2.1 contain a security bug which, under certain circumstances, can cause local files to be written outside the download directory. [Updated 09 Jan 2003] Added fixed packages for the Itanium (IA64) architecture. [Updated 06 Feb 2003] Added fixed packages for Advanced Workstation 2.1 Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious FTP server to create or overwrite files anywhere on the local file system. FTP clients must check to see if an FTP server
    last seen2020-06-01
    modified2020-06-02
    plugin id12334
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12334
    titleRHEL 2.1 : wget (RHSA-2002:256)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2002:256. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(12334);
      script_version ("1.26");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2002-1344");
      script_xref(name:"RHSA", value:"2002:256");
    
      script_name(english:"RHEL 2.1 : wget (RHSA-2002:256)");
      script_summary(english:"Checks the rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The wget packages shipped with Red Hat Linux Advanced Server 2.1
    contain a security bug which, under certain circumstances, can cause
    local files to be written outside the download directory.
    
    [Updated 09 Jan 2003] Added fixed packages for the Itanium (IA64)
    architecture.
    
    [Updated 06 Feb 2003] Added fixed packages for Advanced Workstation
    2.1
    
    Versions of wget prior to 1.8.2-4 contain a bug that permits a
    malicious FTP server to create or overwrite files anywhere on the
    local file system.
    
    FTP clients must check to see if an FTP server's response to the NLST
    command includes any directory information along with the list of
    filenames required by the FTP protocol (RFC 959, section 4.1.3).
    
    If the FTP client fails to do so, a malicious FTP server can send
    filenames beginning with '/' or containing '/../' which can be used to
    direct a vulnerable FTP client to write files (such as .forward,
    .rhosts, .shost, etc.) that can then be used for later attacks against
    the client machine.
    
    All users of wget should upgrade to the errata packages which are not
    vulnerable to this issue.
    
    Thanks to Steven M. Christey for his work in discovering this issue in
    current FTP clients and for providing a patched FTP server to verify
    the new packages."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2002-1344"
      );
      # http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719482
      script_set_attribute(
        attribute:"see_also",
        value:"https://marc.info/?l=bugtraq&m=87602746719482"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2002:256"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected wget package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:wget");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2002/12/18");
      script_set_attribute(attribute:"patch_publication_date", value:"2003/02/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2002:256";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"wget-1.8.2-4.72")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wget");
      }
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-209.NASL
    descriptionTwo problems have been found in the wget package as distributed in Debian GNU/Linux : - Stefano Zacchiroli found a buffer overrun in the url_filename function, which would make wget segfault on very long URLs - Steven M. Christey discovered that wget did not verify the FTP server response to a NLST command: it must not contain any directory information, since that can be used to make an FTP client overwrite arbitrary files. Both problems have been fixed in version 1.5.3-3.1 for Debian GNU/Linux 2.2/potato and version 1.8.1-6.1 for Debian GNU/Linux 3.0/woody.
    last seen2020-06-01
    modified2020-06-02
    plugin id15046
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15046
    titleDebian DSA-209-1 : wget - directory traversal
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-209. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15046);
      script_version("1.21");
      script_cvs_date("Date: 2019/08/02 13:32:17");
    
      script_cve_id("CVE-2002-1344", "CVE-2002-1565");
      script_bugtraq_id(6352);
      script_xref(name:"DSA", value:"209");
    
      script_name(english:"Debian DSA-209-1 : wget - directory traversal");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Two problems have been found in the wget package as distributed in
    Debian GNU/Linux :
    
      - Stefano Zacchiroli found a buffer overrun in the
        url_filename function, which would make wget segfault on
        very long URLs
      - Steven M. Christey discovered that wget did not verify
        the FTP server response to a NLST command: it must not
        contain any directory information, since that can be
        used to make an FTP client overwrite arbitrary files.
    
    Both problems have been fixed in version 1.5.3-3.1 for Debian
    GNU/Linux 2.2/potato and version 1.8.1-6.1 for Debian GNU/Linux
    3.0/woody."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2002/dsa-209"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected wget package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wget");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/12/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_set_attribute(attribute:"vuln_publication_date", value:"2002/12/12");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"2.2", prefix:"wget", reference:"1.5.3-3.1")) flag++;
    if (deb_check(release:"3.0", prefix:"wget", reference:"1.8.1-6.1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2002-086.NASL
    descriptionA vulnerability in all versions of wget prior to and including 1.8.2 was discovered by Steven M. Christey. The bug permits a malicious FTP server to create or overwriet files anywhere on the local file system by sending filenames beginning with
    last seen2020-06-01
    modified2020-06-02
    plugin id13984
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13984
    titleMandrake Linux Security Advisory : wget (MDKSA-2002:086)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2002:086. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(13984);
      script_version ("1.19");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2002-1344");
      script_xref(name:"MDKSA", value:"2002:086");
    
      script_name(english:"Mandrake Linux Security Advisory : wget (MDKSA-2002:086)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Mandrake Linux host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A vulnerability in all versions of wget prior to and including 1.8.2
    was discovered by Steven M. Christey. The bug permits a malicious FTP
    server to create or overwriet files anywhere on the local file system
    by sending filenames beginning with '/' or containing '/../'. This can
    be used to make vulnerable FTP clients write files that can later be
    used for attack against the client machine."
      );
      # http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719482
      script_set_attribute(
        attribute:"see_also",
        value:"http://marc.info/?l=bugtraq&m=87602746719482"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected wget package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:wget");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/12/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"wget-1.8.2-3.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"wget-1.8.2-3.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"wget-1.8.2-3.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"wget-1.8.2-3.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"wget-1.8.2-3.1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Redhat

advisories
  • rhsa
    idRHSA-2002:229
  • rhsa
    idRHSA-2002:256