Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Peter Conrad (conradtivano.de)
Date: Thu Nov 01 2001 - 02:34:03 CST
Date: October 2001
Product: Viralator (http://viralator.loddington.com/)
Viralator is a perl-script to be used with the squid proxy, an apache
webserver and some virus scanner software. Its purpose is to allow
scanning of files downloaded through the proxy for viruses.
The product has been listed among the "Top 6 Tools" in SecurityFocus
Newsletters #87 and #98.
The problem has been found in all versions currently available for
download on the viralator website: 0.7, 0.8 and 0.9pre1
Remote execution of arbitrary code as the user under whose ID the
viralator CGI script is running
The URL of the file being downloaded is passed as a parameter to the
viralator CGI script. This URL is used in an insecure way to download the
file using the "wget" utility. After that, the filename part of the URL
is used in an insecure way to scan the file for a virus.
An official patch does not exist at the time of writing. It is advisable
to disable access to the script.
- on June 12 2001 I mailed the author about the problem. I received
a (very) prompt reply, stating that he was working on a new version.
- on October 18 I remembered the case and took a look at the viralator
website. Neither a fixed version nor a warning about the security
problem could be found. So I emailed the author again, asking if he
is still working on the project. I haven't received a reply yet.
The problem was reported independently by Pekka Ahmavuo in the viralator
developers forum on August 10 (available at the viralator website).
-- Peter Conrad Tel: +49 6102 / 80 99 072 [ t]ivano Software GmbH Fax: +49 6102 / 80 99 071 Bahnhofstr. 18 63263 Neu-Isenburg