Description
Nmap developer nnposter found a security flaw (directory traversal
vulnerability) in the way the non-default http-fetch script sanitized
URLs. If a user manualy ran this NSE script against a malicious web
server, the server could potentially (depending on NSE arguments used)
cause files to be saved outside the intended destination directory.
Existing files couldn't be overwritten. We fixed http-fetch, audited
our other scripts to ensure they didn't make this mistake, and updated
the httpspider library API to protect against this by default.