Bug in phishing net

Markus Nilsson markus at markusoft.se
Tue May 3 16:23:19 IST 2011


Hi! 

I believe I have found a bug in the phishing net regarding links with :80 in them. 

A link to 
www.site.com:80/folder 
with the text 
www.site.com/folder 
will fail due to a missing $2, which will match www.site.com against www.site.comfolder.


The matching of the squashed link does it correctly: 
$squashedtext =~ s/^(http:\/\/[^:]+):80(\D|$)/$1$2/i; # Remove http:...:80 

but later the substitution for the linkurl is not correct: 
$linkurl =~ s/^(https?:\/\/[^:]+):80($|\D)/$1/i; # Remove http://....:80 


Here is a diff with the small correction: 

--- Message.pm 2011-05-03 17:13:54.000000000 +0200 
+++ Message.pm.NEW 2011-05-03 17:16:20.000000000 +0200 
@@ -7574,21 +7577,21 @@
   $linkurl =~ s/^\[\d*\]//; # Remove leading [numbers]
   $linkurl =~ s/^blocked[:\/]+//i; # Remove "blocked::" labels
   $linkurl =~ s/^blocked[:\/]+//i; # And again, in case there are 2
   $linkurl =~ s/^blocked[:\/]+//i; # And again, in case there are 3
   $linkurl =~ s/^blocked[:\/]+//i; # And again, in case there are 4
   $linkurl =~ s/^outbind:\/\/\d+\//http:\/\//i; # Remove "outbind://22/" type labels
   #$linkurl =~ s/^.*\<((https?|ftp|mailto):[^>]+)\>.*$/$1/i; # Turn blah-blah <http://link.here> blah-blah into "http://link.here"
   $linkurl = $DisarmBaseURL . '/' . $linkurl
     if $linkurl ne "" && $DisarmBaseURL ne "" &&
        $linkurl !~ /^(https?|ftp|mailto):/i;
-  $linkurl =~ s/^(https?:\/\/[^:]+):80($|\D)/$1/i; # Remove http://....:80
+  $linkurl =~ s/^(https?:\/\/[^:]+):80($|\D)/$1$2/i; # Remove http://....:80
   $linkurl =~ s/^(https?|ftp)[:;]\/\///i;
   return ("",0) if $linkurl =~ /^ma[il]+to[:;]/i;
   #$linkurl = "" if $linkurl =~ /^ma[il]+to[:;]/i;
   $linkurl =~ s/[?\/].*$//; # Only compare up to the first '/' or '?'
   $linkurl =~ s/(\<\/?(br|p|ul)\>)*$//ig; # Remove trailing br, p, ul tags
   return ("",0) if $linkurl =~ /^file:/i; # Ignore file: URLs completely
   #$linkurl = "" if $linkurl =~ /^file:/i; # Ignore file: URLs completely
   return ("",0) if $linkurl =~ /^#/; # Ignore internal links completely
   #$linkurl = "" if $linkurl =~ /^#/; # Ignore internal links completely
   $linkurl =~ s/\/$//; # LinkURL is trimmed -- note





I am also hoping that my previous correction (which fixes the problem with multiple signature images being attached, even though configured not to!) will find it's way into the source at some point :) 

Both corrections are in the diff below! 

--- Message.pm	2011-05-03 17:13:54.000000000 +0200
+++ Message.pm.NEWNEW	2011-05-03 17:18:22.000000000 +0200
@@ -6859,39 +6859,42 @@
         default_h   => [ sub { print @_; },     "text"],
                      )
         ->parse_file($oldname)
         or MailScanner::Log::WarnLog("HTML disarming, can't open file %s: %s",
                                      $oldname, $!);
     }
     # Dump the contents of %DisarmDoneSomething down the pipe
     foreach my $ddskey (keys %DisarmDoneSomething) {
       print $pipe "$ddskey\n";
     }
+    #Add SignatureImageIsFound Magic text if the sig is found
+    print $pipe "SignatureImageIsFound\n" if ($SigImageFound == 1);
     print $pipe "ENDENDEND\n";
     $pipe->close;
     $pipe = undef;
     exit 0;
     # The child will never get here.
   }
 
   # In the parent.
   my @DisarmDoneSomething;
   eval {
     $pipe->reader();
     local $SIG{ALRM} = sub { die "Command Timed Out" };
     alarm MailScanner::Config::Value('spamassassintimeout');
     # Read the contents of %DisarmDoneSomething from the pipe
     my($pipedata);
     while (defined($pipedata = <$pipe>)) {
       last if $pipedata eq "ENDENDEND\n";
       chomp $pipedata;
-      push @DisarmDoneSomething, $pipedata;
+      $SigImageFound = 1 if($pipedata eq "SignatureImageIsFound");
+      push @DisarmDoneSomething, $pipedata unless ($pipedata eq "SignatureImageIsFound");
       #print STDERR "DisarmDoneSomething $pipedata\n";
     }
     waitpid $pid, 0;
     $pipe->close;
     $PipeReturn = $?;
     alarm 0;
     $pid = 0;
   };
   alarm 0;
   # Workaround for bug in perl shipped with Solaris 9,
@@ -7574,21 +7577,21 @@
   $linkurl =~ s/^\[\d*\]//; # Remove leading [numbers]
   $linkurl =~ s/^blocked[:\/]+//i; # Remove "blocked::" labels
   $linkurl =~ s/^blocked[:\/]+//i; # And again, in case there are 2
   $linkurl =~ s/^blocked[:\/]+//i; # And again, in case there are 3
   $linkurl =~ s/^blocked[:\/]+//i; # And again, in case there are 4
   $linkurl =~ s/^outbind:\/\/\d+\//http:\/\//i; # Remove "outbind://22/" type labels
   #$linkurl =~ s/^.*\<((https?|ftp|mailto):[^>]+)\>.*$/$1/i; # Turn blah-blah <http://link.here> blah-blah into "http://link.here"
   $linkurl = $DisarmBaseURL . '/' . $linkurl
     if $linkurl ne "" && $DisarmBaseURL ne "" &&
        $linkurl !~ /^(https?|ftp|mailto):/i;
-  $linkurl =~ s/^(https?:\/\/[^:]+):80($|\D)/$1/i; # Remove http://....:80
+  $linkurl =~ s/^(https?:\/\/[^:]+):80($|\D)/$1$2/i; # Remove http://....:80
   $linkurl =~ s/^(https?|ftp)[:;]\/\///i;
   return ("",0) if $linkurl =~ /^ma[il]+to[:;]/i;
   #$linkurl = "" if $linkurl =~ /^ma[il]+to[:;]/i;
   $linkurl =~ s/[?\/].*$//; # Only compare up to the first '/' or '?'
   $linkurl =~ s/(\<\/?(br|p|ul)\>)*$//ig; # Remove trailing br, p, ul tags
   return ("",0) if $linkurl =~ /^file:/i; # Ignore file: URLs completely
   #$linkurl = "" if $linkurl =~ /^file:/i; # Ignore file: URLs completely
   return ("",0) if $linkurl =~ /^#/; # Ignore internal links completely
   #$linkurl = "" if $linkurl =~ /^#/; # Ignore internal links completely
   $linkurl =~ s/\/$//; # LinkURL is trimmed -- note



BR/ 
Markus 

 
 
--
This message has been scanned for viruses and dangerous content by CronLab
(www.cronlab.com), and is believed to be clean.



More information about the MailScanner mailing list