A number of Linux distributors have issued patches for fixing a widely used program that fetches Web pages, called Wget, so it can not be misused by attackers.
Canonical and Mandriva have both released advisories of this vulnerability, as well as updated their software to a fixed version. Red Hat has not updated this flaw, according to the company website.
Included in most Linux distributions, the GNU Wget is a program that can retrieve Web pages and other Internet files. A widely used command line tool, it is often embedded in scripts and programs for automatically downloading large numbers of Web pages, which can be useful for indexing the Web. It also works with FTP (File Transfer Protocol).
Versions 1.12 and older possess a vulnerability that attackers could use to inject malicious code into the host machine running the software. As the software downloads a file, the server provides it with a file name that can be substituted with a pointer to a file with executable code, which, in turn, can overwrite an existing file or be inserted into the start-up routine.
The OpenWall Project, a group that focuses on open-source security, discovered the vulnerability late last year, but it was, according to the group, initially ignored by the Wget maintainers.
The keepers of the CVE (Common Vulnerabilities and Exposures) database are reviewing the vulnerability, CVE-2010-2252, and it has been classified as a medium risk.
Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab’s e-mail address is Joab_Jackson@idg.com