Hi! Date: October 2001 Product: Viralator (http://viralator.loddington.com/) Viralator is a perl-script to be used with the squid proxy, an apache webserver and some virus scanner software. Its purpose is to allow scanning of files downloaded through the proxy for viruses. The product has been listed among the "Top 6 Tools" in SecurityFocus Newsletters #87 and #98. Affected versions: The problem has been found in all versions currently available for download on the viralator website: 0.7, 0.8 and 0.9pre1 Impact: Remote execution of arbitrary code as the user under whose ID the viralator CGI script is running Problem: The URL of the file being downloaded is passed as a parameter to the viralator CGI script. This URL is used in an insecure way to download the file using the "wget" utility. After that, the filename part of the URL is used in an insecure way to scan the file for a virus. Solution: An official patch does not exist at the time of writing. It is advisable to disable access to the script. History: - on June 12 2001 I mailed the author about the problem. I received a (very) prompt reply, stating that he was working on a new version. - on October 18 I remembered the case and took a look at the viralator website. Neither a fixed version nor a warning about the security problem could be found. So I emailed the author again, asking if he is still working on the project. I haven't received a reply yet. Credits: The problem was reported independently by Pekka Ahmavuo in the viralator developers forum on August 10 (available at the viralator website). Bye, Peter -- Peter Conrad Tel: +49 6102 / 80 99 072 [ t]ivano Software GmbH Fax: +49 6102 / 80 99 071 Bahnhofstr. 18 63263 Neu-Isenburg
