I had a look at Debian bug 284875, "wget: Arbitrary file overwriting/appending/creating and other vulnerabilities", specifically about points (1) and (2) therein. I set up the proof of concept Perl script to run via inetd, which I think is a working way of setting it up. The script responds to HTTP queries and does, I think, respond in the way to trigger the exploit. Lynx and wget both follow the redirections.
I can't, however, replicate the points (1) and (2) using version 1.9.1-10 in Debian sid. Instead of overwriting or appending or other bad things happening, wget seems to only create a file with ".1" (or ".2" etc) appended to the filename. The same happens with 1.9.1-8 in Debian sarge. Jan, could you clarify how to replicate these two points? More detailed steps, a typescript (from script(1)) of a terminal session where you do it, or something like that? (I haven't looked at points (3) and (4) yet, I'll do that later.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
