wget utility potential leaked password via extended filesystem attributes
Developers that include the GNU’s wget utility in their applications have to use the new version that was released on Boxing Day.
GNU Wget is a free software package for retrieving files using HTTP, HTTPS, FTP
The flaw, tracked as CVE-2018-20483, could allow local users to obtain sensitive information (e.g., credentials contained in the URL) by reading the attributes.
The security researcher Gynvael Coldwind (@voltagex) discovered that the stored attributes can include user usernames and passwords.
The security researcher Hanno Böck highlighted that URLs can sometimes contain “secret tokens” used for external services like file hosting. The attributes could be accessed on any logged-in machine using the getfattr command.
“The URL of downloads gets stored via filesystem attributes on systems that support Unix extended attributes.” Böck wrote.
“You can see these attributes on Linux systems by running getfattr -d [filename] (The download URL is stored in a variable “user.xdg.origin.url”)”
“This also applies to Referer information in the user.xdg.referrer.
The issue has been privately reported to Chrome as well and will be fixed soon
The expert Hector Martin pointed out a threat actor wanting to steal stored URLs from can move it from the target’s hard drive to a USB key.
|
(SecurityAffairs – wget, hacking)
The post wget utility potential leaked password via extended filesystem attributes appeared first on Security Affairs.