oCERT-2010-001 multiple http client unexpected download filename

Description:

The lftp, wget and lwp-download applications are FTP/HTTP clients and file transfer tools supporting various network protocols. The lwp-download script is shipped along with the libwww-perl library.

Unsafe behaviours have been found in lftp and lwp-download handling the Content-Disposition header in conjunction with the 'suggested filename' functionality.

Additionally, unsafe behaviours have been found in wget and lwp-download in the case of HTTP 3xx redirections during file downloading. The two applications automatically use the URL's filename portion specified in the Location header.

Implicitly trusting the suggested filenames results in a saved file that differs from the expected one according to the URL specified by the user. This can be used by an attacker-controlled server to silently write hidden and/or initialization files under the user's current directory (e.g. .login, .bashrc).

The impact of this vulnerability is increased in the case of lftp/lftpget as the default configuration allows file to be overwritten without prompting the user for confirmation. In the case of lftp the get1 command is affected. This command can be invoked directly by the user from lftp's command line interface or indirectly by using the lftpget script, packaged within the lftp distribution.

Affected version:

lftp <= 4.0.5

wget <= 1.12

libwww-perl <= 5.834

Fixed version:

lftp >= 4.0.6

wget N/A

libwww-perl >= 5.835

Credit: vulnerability discovered and reported by Hank Leininger and Solar Designer under the Openwall Project, with further analysis by Daniele Bianco of oCERT.

CVE: CVE-2010-2251 (lftp), CVE-2010-2252 (wget), CVE-2010-2253 (libwww-perl)

Timeline:

2009-10-23: vulnerability report received
2010-01-08: further investigations and analysis completed
2010-01-10: contacted wget, libwww-perl and lftp maintainers
2010-01-11: wget didn't acknowledge the report, the issues reported have not been considered relevant from a security perspective by the maintainer
2010-01-21: lftp acknowledged the report, preliminary analysis for the reported issues provided
2010-02-06: wget confirmed the application will not be fixed
2010-02-08: libwww-perl acknowledged the report, preliminary analysis for the reported issues provided
2010-03-25: lftp 4.0.6 released
2010-05-05: libwww-perl-5.836 released
2010-05-10: contacted affected vendors
2010-05-14: failure reported during notification process of vendor-sec list, notification re-sent
2010-05-17: advisory published
2010-06-09: assigned CVE