Developers that include the GNU’s wget utility in their applications have to use the new version that was released on Boxing Day.
GNU Wget is a free software package for retrieving files using HTTP, HTTPS, FTP and FTPS the most widely-used Internet protocols. It is a non-interactive commandline tool, so it may easily be called from scripts, cron jobs, terminals without X-Windows support, etc. GNU Wget has many features to make retrieving large files or mirroring entire web or FTP sites easy.
The flaw, tracked as CVE-2018-20483, could allow local users to obtain sensitive information (e.g., credentials contained in the URL) by reading the attributes.
The security researcher Gynvael Coldwind (@voltagex) discovered that the stored attributes can include user usernames and passwords.
The security researcher Hanno Böck highlighted that URLs can sometimes contain “secret tokens” used for external services like file hosting. The attributes could be accessed on any logged-in machine using the getfattr command.
“The URL of downloads gets stored via filesystem attributes on systems that support Unix extended attributes.” Böck wrote.
“You can see these attributes on Linux systems by running getfattr -d [filename] (The download URL is stored in a variable “user.xdg.origin.url”)”
“This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.” reads the description published by the Mitre.
The issue has been privately reported to Chrome as well and will be fixed soon.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.