FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

wget -- HTTP to FTP redirection file name confusion vulnerability

Affected packages
wget < 1.18

Details

VuXML ID 6df56c60-3738-11e6-a671-60a44ce6887b
Discovery 2016-06-09
Entry 2016-06-21

Giuseppe Scrivano reports:

On a server redirect from HTTP to a FTP resource, wget would trust the HTTP server and uses the name in the redirected URL as the destination filename.

References

CVE Name CVE-2016-4971
URL http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html