Wget erroneously thinks that the current directory is a
fair game, and will happily write in any file in and below
it. Malicious HTTP response or malicious HTML file can
redirect wget to a file that is vital to the system, and
wget will create/append/overwrite it.
Wget apparently has at least two methods of
``sanitizing'' the potentially malicious data it receives
from the HTTP stream, therefore a malicious redirects can
pass the check. We haven't find a way to trick wget into
writing above the parent directory, which doesn't mean
it's not possible.
Malicious HTTP response can overwrite parts of the
terminal so that the user will not notice anything wrong,
or will believe the error was not fatal.