Bug in phishing net
Markus Nilsson
markus at markusoft.se
Tue May 3 16:23:19 IST 2011
Hi!
I believe I have found a bug in the phishing net regarding links with :80 in them.
A link to
www.site.com:80/folder
with the text
www.site.com/folder
will fail due to a missing $2, which will match www.site.com against www.site.comfolder.
The matching of the squashed link does it correctly:
$squashedtext =~ s/^(http:\/\/[^:]+):80(\D|$)/$1$2/i; # Remove http:...:80
but later the substitution for the linkurl is not correct:
$linkurl =~ s/^(https?:\/\/[^:]+):80($|\D)/$1/i; # Remove http://....:80
Here is a diff with the small correction:
--- Message.pm 2011-05-03 17:13:54.000000000 +0200
+++ Message.pm.NEW 2011-05-03 17:16:20.000000000 +0200
@@ -7574,21 +7577,21 @@
$linkurl =~ s/^\[\d*\]//; # Remove leading [numbers]
$linkurl =~ s/^blocked[:\/]+//i; # Remove "blocked::" labels
$linkurl =~ s/^blocked[:\/]+//i; # And again, in case there are 2
$linkurl =~ s/^blocked[:\/]+//i; # And again, in case there are 3
$linkurl =~ s/^blocked[:\/]+//i; # And again, in case there are 4
$linkurl =~ s/^outbind:\/\/\d+\//http:\/\//i; # Remove "outbind://22/" type labels
#$linkurl =~ s/^.*\<((https?|ftp|mailto):[^>]+)\>.*$/$1/i; # Turn blah-blah <http://link.here> blah-blah into "http://link.here"
$linkurl = $DisarmBaseURL . '/' . $linkurl
if $linkurl ne "" && $DisarmBaseURL ne "" &&
$linkurl !~ /^(https?|ftp|mailto):/i;
- $linkurl =~ s/^(https?:\/\/[^:]+):80($|\D)/$1/i; # Remove http://....:80
+ $linkurl =~ s/^(https?:\/\/[^:]+):80($|\D)/$1$2/i; # Remove http://....:80
$linkurl =~ s/^(https?|ftp)[:;]\/\///i;
return ("",0) if $linkurl =~ /^ma[il]+to[:;]/i;
#$linkurl = "" if $linkurl =~ /^ma[il]+to[:;]/i;
$linkurl =~ s/[?\/].*$//; # Only compare up to the first '/' or '?'
$linkurl =~ s/(\<\/?(br|p|ul)\>)*$//ig; # Remove trailing br, p, ul tags
return ("",0) if $linkurl =~ /^file:/i; # Ignore file: URLs completely
#$linkurl = "" if $linkurl =~ /^file:/i; # Ignore file: URLs completely
return ("",0) if $linkurl =~ /^#/; # Ignore internal links completely
#$linkurl = "" if $linkurl =~ /^#/; # Ignore internal links completely
$linkurl =~ s/\/$//; # LinkURL is trimmed -- note
I am also hoping that my previous correction (which fixes the problem with multiple signature images being attached, even though configured not to!) will find it's way into the source at some point :)
Both corrections are in the diff below!
--- Message.pm 2011-05-03 17:13:54.000000000 +0200
+++ Message.pm.NEWNEW 2011-05-03 17:18:22.000000000 +0200
@@ -6859,39 +6859,42 @@
default_h => [ sub { print @_; }, "text"],
)
->parse_file($oldname)
or MailScanner::Log::WarnLog("HTML disarming, can't open file %s: %s",
$oldname, $!);
}
# Dump the contents of %DisarmDoneSomething down the pipe
foreach my $ddskey (keys %DisarmDoneSomething) {
print $pipe "$ddskey\n";
}
+ #Add SignatureImageIsFound Magic text if the sig is found
+ print $pipe "SignatureImageIsFound\n" if ($SigImageFound == 1);
print $pipe "ENDENDEND\n";
$pipe->close;
$pipe = undef;
exit 0;
# The child will never get here.
}
# In the parent.
my @DisarmDoneSomething;
eval {
$pipe->reader();
local $SIG{ALRM} = sub { die "Command Timed Out" };
alarm MailScanner::Config::Value('spamassassintimeout');
# Read the contents of %DisarmDoneSomething from the pipe
my($pipedata);
while (defined($pipedata = <$pipe>)) {
last if $pipedata eq "ENDENDEND\n";
chomp $pipedata;
- push @DisarmDoneSomething, $pipedata;
+ $SigImageFound = 1 if($pipedata eq "SignatureImageIsFound");
+ push @DisarmDoneSomething, $pipedata unless ($pipedata eq "SignatureImageIsFound");
#print STDERR "DisarmDoneSomething $pipedata\n";
}
waitpid $pid, 0;
$pipe->close;
$PipeReturn = $?;
alarm 0;
$pid = 0;
};
alarm 0;
# Workaround for bug in perl shipped with Solaris 9,
@@ -7574,21 +7577,21 @@
$linkurl =~ s/^\[\d*\]//; # Remove leading [numbers]
$linkurl =~ s/^blocked[:\/]+//i; # Remove "blocked::" labels
$linkurl =~ s/^blocked[:\/]+//i; # And again, in case there are 2
$linkurl =~ s/^blocked[:\/]+//i; # And again, in case there are 3
$linkurl =~ s/^blocked[:\/]+//i; # And again, in case there are 4
$linkurl =~ s/^outbind:\/\/\d+\//http:\/\//i; # Remove "outbind://22/" type labels
#$linkurl =~ s/^.*\<((https?|ftp|mailto):[^>]+)\>.*$/$1/i; # Turn blah-blah <http://link.here> blah-blah into "http://link.here"
$linkurl = $DisarmBaseURL . '/' . $linkurl
if $linkurl ne "" && $DisarmBaseURL ne "" &&
$linkurl !~ /^(https?|ftp|mailto):/i;
- $linkurl =~ s/^(https?:\/\/[^:]+):80($|\D)/$1/i; # Remove http://....:80
+ $linkurl =~ s/^(https?:\/\/[^:]+):80($|\D)/$1$2/i; # Remove http://....:80
$linkurl =~ s/^(https?|ftp)[:;]\/\///i;
return ("",0) if $linkurl =~ /^ma[il]+to[:;]/i;
#$linkurl = "" if $linkurl =~ /^ma[il]+to[:;]/i;
$linkurl =~ s/[?\/].*$//; # Only compare up to the first '/' or '?'
$linkurl =~ s/(\<\/?(br|p|ul)\>)*$//ig; # Remove trailing br, p, ul tags
return ("",0) if $linkurl =~ /^file:/i; # Ignore file: URLs completely
#$linkurl = "" if $linkurl =~ /^file:/i; # Ignore file: URLs completely
return ("",0) if $linkurl =~ /^#/; # Ignore internal links completely
#$linkurl = "" if $linkurl =~ /^#/; # Ignore internal links completely
$linkurl =~ s/\/$//; # LinkURL is trimmed -- note
BR/
Markus
--
This message has been scanned for viruses and dangerous content by CronLab
(www.cronlab.com), and is believed to be clean.
More information about the MailScanner
mailing list