Vulnerability in Viralator proxy extension

[Peter Conrad <conrad () tivano de>]

Hi!

Date: October 2001

Product: Viralator (http://viralator.loddington.com/)

Viralator is a perl-script to be used with the squid proxy, an apache
webserver and some virus scanner software. Its purpose is to allow
scanning of files downloaded through the proxy for viruses.
The product has been listed among the "Top 6 Tools" in SecurityFocus
Newsletters #87 and #98.

Affected versions:

The problem has been found in all versions currently available for
download on the viralator website: 0.7, 0.8 and 0.9pre1

Impact:

Remote execution of arbitrary code as the user under whose ID the
viralator CGI script is running

Problem:

The URL of the file being downloaded is passed as a parameter to the 
viralator CGI script. This URL is used in an insecure way to download the
file using the "wget" utility. After that, the filename part of the URL
is used in an insecure way to scan the file for a virus.

Solution:

An official patch does not exist at the time of writing. It is advisable 
to disable access to the script.

History:

 - on June 12 2001 I mailed the author about the problem. I received
   a (very) prompt reply, stating that he was working on a new version.
 - on October 18 I remembered the case and took a look at the viralator
   website. Neither a fixed version nor a warning about the security
   problem could be found. So I emailed the author again, asking if he
   is still working on the project. I haven't received a reply yet.

Credits:

The problem was reported independently by Pekka Ahmavuo in the viralator
developers forum on August 10 (available at the viralator website).


Bye,
        Peter
-- 
Peter Conrad                        Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH             Fax: +49 6102 / 80 99 071
Bahnhofstr. 18
63263 Neu-Isenburg