Giuseppe, Micah, all - As I hope you're aware, oCERT has published an advisory on a security issue with lftp, wget, and libwww-perl. lftp and libwww-perl have fixed the issue. wget didn't.
http://www.ocert.org/advisories/ocert-2010-001.html Here's a demonstration of an attack on what I think is a typical wget cron job: http://www.openwall.com/lists/oss-security/2010/05/18/13 The attack provides a .wgetrc, which enables a second invocation of the cron job to overwrite a file such as .bash_profile. This is just one example. Please do not "fix" this by treating ".wgetrc" specially. Here's an unofficial patch for the issue: http://www.openwall.com/lists/oss-security/2010/05/17/2 Now that we have a proof-of-concept real-world attack scenario and we readily have a patch, would you possibly consider fixing this upstream? Thanks, Alexander
