oCERT-2010-001: HTTP Client Filename Injection in LFTP/Wget

From this webpage screenshot, the following key information about the vulnerability can be extracted: 1. Vulnerability ID and Title: - oCERT-2010-001: Multiple HTTP Clients Unexpected Filename Download Vulnerability. 2. Date and Context: - Date: 2010-05-20 4:27:56. - Sender: Solar Designer. - The original email discusses potential issues in Wget and other HTTP clients when parsing filenames. 3. Vulnerability Details: - The vulnerability allows servers to control the filename assigned to downloaded files via HTTP response headers (such as ) or URL parameters. This may lead to filename confusion or unintended file overwrites. 4. Affected Software and Fixes: - LFTP versions 4.0.5 and 4.0.6 are specifically mentioned, with fixes and change notes provided: - Added flag to prevent file overwrites. - Enhanced validation of filenames provided by the server. - Introduced feature (disabled by default). - Vulnerability test case: When downloading from , unpatched LFTP generated disordered filenames like , while the patched version correctly follows the expected filename. 5. Test Results for Other Tools: - Multiple HTTP download tools were tested: - Vulnerable: LFTP, lwp-download, wget. - Secure: curl and ELinks are unaffected. - Uncertain: Lynx results were inconclusive. 6. Open Source Community Collaboration: - The oCERT organization has re-notified relevant upstream maintainers to advance resolution. - The Wget project maintainers had changed at the time, which partially impacted the progress of the discussion.

Goal Reached Thanks to every supporter — we hit 100%!

oCERT-2010-001: HTTP Client Filename Injection in LFTP/Wget