Comments in line:
On Tue, Aug 18, 2015 at 1:24 PM, P K <[email protected]> wrote: > Hi Guys, > > > I see when a virus file is uploaded as multipart/formdata its not detected > properly by ClamAv. If its not multipart/formdata it works properly. > > I see few windows servers uploads file using multipart. > > Any idea or pointer why it doesn't work with multipart/forms? > > md5sum exploit.pdf > a3e8a7602797c69f6320225e8137d063 exploit.pdf > > I was trying same exploit.pdf virus file (CVE-2009-4324) to upload in > Windows server and its not detected by ClamAv Antivirus. > > *I tried with detect-pua also and it didn't worked for me*. > > It works fine with curl and other software. *Maybe we have to handle > separately for windows server*. > What is the curl command you are running where it works? > > *Below is output of virus file to clamav: * > > Content-Disposition: form-data; name="__EVENTVALIDATION" > > /wEWBAK5276uAwLv4ZO6DgLmgPS1DQL374fcBaj9ZhJYdIZVwZS464ZHv7T3ou6w > -----------------------------21154944191352840482619583850 > Content-Disposition: form-data; name="destination" > > > > > > > */AnalyticsReports-----------------------------21154944191352840482619583850Content-Disposition: > form-data; name="ctl00$PlaceHolderMain$ctl01$ctl05$InputFile"; > filename="exploit.pdf"Content-Type: application/force-download* > %PDF-1.1 > 1 0 obj > << /Type /Catalog /Outlines 2 0 R /Pages 3 0 R /OpenAction 5 0 R >> > endobj > 2 0 obj > << /Type /Outlines /Count 0 >> > endobj > 3 0 obj > << /Type /Pages /Kids [4 0 R] /Count 1 >> > endobj > 4 0 obj > << /Type /Page /Parent 3 0 R /MediaBox [0 0 612 792] >> > endobj > 5 0 obj > << /Type /Action /S /JavaScript /JS ( > VIRUS DATA ..................... > ........................................... > > spray_heap(); > trigger_bug(); > > ) >> > endobj > xref > 0 6 > 0000000000 65535 f > 0000000010 00000 n > 0000000096 00000 n > 0000000145 00000 n > 0000000205 00000 n > 0000000279 00000 n > trailer > << /Size 6 /Root 1 0 R >> > startxref > 1787 > %%EOF > -----------------------------21154944191352840482619583850 > Content-Disposition: form-data; > name="ctl00$PlaceHolderMain$ctl01$ctl05$OverwriteSingle" > > on > -----------------------------21154944191352840482619583850 > Content-Disposition: form-data; name="__spText1" > > > -----------------------------2115494419135284048261958385 > Detection of PDF viruses likely depend on the body of the request being a pure PDF document, not a multipart form with a PDF in one of the parts. This is totally dependent on the way the signature was written. > _______________________________________________ > http://lurker.clamav.net/list/clamav-devel.html > Please submit your patches to our Bugzilla: http://bugs.clamav.net > > http://www.clamav.net/contact.html#ml > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net http://www.clamav.net/contact.html#ml
