$>ctf

When wget downloads a file from a URL containing credentials (e.g., http://user:password@host/file or ftp://user:pass@host/file), it stores the full URL including the plaintext password in the POSIX e

Wget stores u->url (which is built with URL_AUTH_SHOW preserving username:password) into user.xdg.origin.url and user.xdg.referrer.url extended attributes on downloaded files. Files with HTTP/FTP basi

Ghostscript's IJS device handler (devices/gdevijs.c::gsijs_open, ~lines 767-882) bypasses the -dSAFER sandbox. The IjsServer parameter is exec'd via ijs_invoke_server() (line 822) and the OutputFile p

GNU wget v1.19 with --xattr leaks HTTP/FTP Basic credentials and query-string secrets into the downloaded file's POSIX extended attributes (user.xdg.origin.url and user.xdg.referrer.url). The original

Wget stores complete URLs (including API keys, tokens, credentials) in POSIX extended file attributes when --xattr is enabled. Any local user can read sensitive data via getfattr command, leading to i

When wget downloads a file from a URL that contains embedded credentials (e.g., https://user:password@example.com/file), those credentials are stored in plaintext in the POSIX extended file attributes

Ghostscript's IJS device (devices/gdevijs.c) lets a PostScript/PDF or CLI invocation set the IjsServer device parameter. gsijs_open at line 822 passes this unchecked string to ijs_invoke_server, which

CVE-2014-7169 — incomplete-fix Shellshock follow-up in bash-4.3 with only the CVE-2014-6271 patch applied. Need to locate the exact code path that still trusts environment-derived strings and explain

CVE-2014-6271 (Shellshock): When Bash initializes, it imports function definitions from environment variables. The vulnerability is in initialize_shell_variables() in variables.c. When an env var valu

Bash imports exported function definitions from environment variables by feeding the entire env var value to parse_and_execute(). The parser keeps consuming input past the function body's closing brac

wget stores the full URL including embedded username:password credentials in extended file attributes (xattrs) when the --xattr flag is used. When a URL like http://user:secret@example.com/file is dow

Wget stores complete URLs (including embedded credentials, API tokens, and session IDs) in POSIX extended file attributes when the --xattr flag is used. Any local user with filesystem access can read

wget's set_file_metadata() in src/xattr.c writes the full origin URL (and referrer URL) into POSIX extended attributes user.xdg.origin.url and user.xdg.referrer.url. The URL string used is u->url, whi

In Ghostscript's IJS device (devices/gdevijs.c), the gsijs_open() function deliberately sets OpenOutputFile=false to let the IJS server subprocess handle the output file. This bypasses Ghostscript's n

Ghostscript's IJS device (devices/gdevijs.c, gsijs_open) passes the user-controlled IjsServer string directly to ijs_invoke_server (fork+exec) and forwards the OutputFile (ijsdev->fname) to the IJS se