GNU Wget is vulnerable to an SSRF attack when accessing partially-user-controlled shorthand URLs
(,1.24.5], Fixed in 1.25.0
GNU Wget is vulnerable to an SSRF attack when accessing partially-user-controlled shorthand URLs
Consider an application that uses Wget to access a remote resource using shorthand HTTP, and passes the user’s credentials in the userinfo part of the URL. For example:
wget user_input@example.com/file
An attacker can supply the (seemingly legitimate) input myuser:mypass which would result in the command line - wget myuser:mypass@example.com/file. This causes wget to unexpectedly issue an FTP request for the domain myuser, requesting the file mypass@example.com/file.
This allows the attacker to perform an SSRF attack, since they completely control the requested host and partially control the requested path (the path suffix is usually not controlled by the attacker)
Add an explicit schema to any shorthand URLs accessed with Wget, for example replace -
wget input@myserver
with -
wget https://input@myserver