[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] security risk of unexpected download filenames
|
From: |
Micah Cowan |
|
Subject: |
Re: [Bug-wget] security risk of unexpected download filenames |
|
Date: |
Thu, 20 May 2010 14:51:30 -0700 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100423 Thunderbird/3.0.4 |
On 05/20/2010 02:47 PM, Solar Designer wrote:
> That's correct, except for the "only ... into the home directory" part.
> In practice, this restriction may apply most of the time, but there are
> scenarios where a download into another directory could also allow for
> an attack. For example, a cron job on a web hosting account may use
> wget to update a file below the "document root". An attack would be to
> provide an .htaccess file instead.
Hm... a problem with this is that it also applies to the case when
someone is recursively-fetching, and the remote server is (even
accidentally) misconfigured to include .htaccess in auto-generated
indexes (and to allow public reading of that file). No obvious way to
avoid that situation that I can think of... might be worth documenting
somewhere.
--
Micah J. Cowan
http://micah.cowan.name/