Both exploits are possible because the input of the programs is not properly (or at all) sanitized. Basically, they call
$wget_cmd is shell (/bin/sh) code which shall download a file via wget. As the
$wget_cmd string contains contents from an untrusted source (HTML/XML on some random server), this results in an "arbitrary code execution" vulnerability, the worst-case scenario you could imagine.
If someone is naive enough to even run such a podcatcher as root, this means a remote root exploit!
Anyways, the RedTeam is definately correct in saying that more and more people start listening to podcasts, and more and more podcatchers are written. But few of them are written with security in mind, which leaves many listeners at risk... I wonder how popular closed-source podcatchers such as iTunes are affected here. Are there any published audits/audit-results (black-box auditing, obviously, as you don't have the source code) for iTunes?
As for Free Software implementations... consider this a call for reviews and audits! If you know/use one of the many podcatchers (or an RSS feed aggregator, which are affected by similar issues), and have some knowledge on secure programming, get the source and review the application. Make the software you use, and the world at large, a little safer.
I'll definately have a look at the programs I'm using soonish...
You might have already noticed, but I'll re-iterate nevertheless: the Drupal project has released Drupal 4.6.4 and 4.5.6 which fix three security vulnerabilities. Everyone running a Drupal site is advised to upgrade, as always.
Multiple people were mighty busy yesterday preparing, finalizing and testing the patches and advisories. I was one of them, although I was more like lurking around trying to look busy ;-) Anyways, I have sent the respective advisories (DRUPAL-SA-2005-007, DRUPAL-SA-2005-008, DRUPAL-SA-2005-009) to the "usual suspects" today: Bugtraq, Full Disclosure, and the php-sec mailing list. The advisories have already been picked up by Secunia and a bunch of other security sites...
Btw: I finally received news that my domain was transferred to my new web hoster today, which led to a short downtime. Everything should be fine now. If you notice any problems, please drop me a note.
Everyone using Drupal should upgrade ASAP to the new Drupal 4.6.3 (or 4.5.5 if you're running 4.5.x), as a serious security vulnerability has been found in the third-party XML-RPC library Drupal ships with. I sent the security advisory to Full-Disclosure, Bugtraq and the phpsec mailing lists, so hopefully everyone will notice and upgrade.
Note: This is not the same issue as the one which was fixed earlier!