COMMAND

	viralator

SYSTEMS AFFECTED

	viralator 0.7, 0.8 and 0.9pre1

PROBLEM

	Peter Conrad reported following on viralator, a perl-script to  be  used
	with the squid  proxy,  an  apache  webserver  and  some  virus  scanner
	software. Its purpose is to allow scanning of files  downloaded  through
	the proxy for viruses.
	

	The URL of the file being downloaded is passed as  a  parameter  to  the
	viralator CGI script. This URL is used in an insecure  way  to  download
	the file using the \"wget\" utility. After that, the  filename  part  of
	the URL is used in an insecure way to scan the file for a virus.
	

	Accordingly with Pekka Ahmavuo, the following url:
	

	     http://foo/%22%3btouch%20foo%3b.zip

	

	will create a file  \"foo\"  in  the  proxy\'s  cgi-bin  directory.  The
	filename written without url  encoding  is:  \";touch  foo;.zip.  It  is
	trivial to use any other command instead of \"touch foo\".

SOLUTION

	No patch available yet.