[Clamav-devel] clamav-devel Digest, Vol 126, Issue 4

P K pkopensrc at gmail.com
Thu Jul 16 12:14:58 EDT 2015


Thanks Brandon.

It means file upload using multi-part form will not be detected by ClamAv.
If curl is able to send multi-part form it means other browsers can upload
virus file using multi form.

Any way to fix same?

Best Regards
Punit Kandoi

On Thu, Jul 16, 2015 at 9:30 PM, <clamav-devel-request at lists.clamav.net>
wrote:

> Send clamav-devel mailing list submissions to
>         clamav-devel at lists.clamav.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel
> or, via email, send a message with subject or body 'help' to
>         clamav-devel-request at lists.clamav.net
>
> You can reach the person managing the list at
>         clamav-devel-owner at lists.clamav.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of clamav-devel digest..."
>
>
> Today's Topics:
>
>    1. ClamAv not detecting data when sent as file from curl (P K)
>    2. Re: ClamAv not detecting data when sent as file from      curl
>       (Brandon Perry)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 16 Jul 2015 21:02:39 +0530
> From: P K <pkopensrc at gmail.com>
> To: clamav-devel at lists.clamav.net
> Subject: [Clamav-devel] ClamAv not detecting data when sent as file
>         from curl
> Message-ID:
>         <CAL0j0DHT34PJVa5YYTh04RHf+kELGsCT8aNhYtXMLW8Bqo5k=
> w at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Hi Guys,
>
> I am trying to send EICAR data to ClamAv by two ways:
>
> *1.  By sending eicher file data as POST data  -> Virus Detected*
>
> *    command ->  curl -X POST -d @eicar.com.txt http://localhost/test.html
> <http://localhost/test.html>*
>
>      POST /abcd.html HTTP/1.1
>      User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> OpenSSL/1.0.1  zlib/1.2.3.4 libidn/1.23 librtmp/2.3
>      Accept: */*
>      Content-Length: 68
>      Content-Type: application/x-www-form-urlencoded
>
>       44
>      X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
>       0
>
> 2. *When i send same with file -> Virus Not Detected*
>
>      *command -> curl -i -F name=eicar.com.txt -F filedata=@eicar.com.txt*
> *http://localhost/test.html <http://localhost/test.html>*
>
>       POST / HTTP/1.1
>       User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
>       Accept: */*
>       Content-Length: 369
>       Expect: 100-continue
>       Content-Type: multipart/form-data;
> boundary=----------------------------221b58daed79
>
>       171
>       ------------------------------221b58daed79
>      Content-Disposition: form-data; name="name"
>
>      eicar.com.txt
>      ------------------------------221b58daed79
>      Content-Disposition: form-data; name="filedata";
> filename="eicar.com.txt"
>      Content-Type: text/plain
>
>      X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
>      ------------------------------221b58daed79--
>       0
>
> Any suggestions what i am missing?
>
> Thanks
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 16 Jul 2015 10:42:17 -0500
> From: Brandon Perry <bperry.volatile at gmail.com>
> To: ClamAV Development <clamav-devel at lists.clamav.net>
> Subject: Re: [Clamav-devel] ClamAv not detecting data when sent as
>         file from       curl
> Message-ID:
>         <
> CAOJKFBBdExHRtCgpWUOLa29AD5bfyjxr0XW6XQnJ-T_scBd56w at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> The body of the HTTP request in the first is only the EICAR file (though
> the 44 and 0 on different lines is odd), but the body of the multi-part
> form request is like embedding the EICAR file into different data (ClamAV
> doesn't know what a multi-part form is). The multi-part form is no longer
> just the EICAR test file, so the signature won't find it.
>
>
>
> On Thu, Jul 16, 2015 at 10:32 AM, P K <pkopensrc at gmail.com> wrote:
>
> > Hi Guys,
> >
> > I am trying to send EICAR data to ClamAv by two ways:
> >
> > *1.  By sending eicher file data as POST data  -> Virus Detected*
> >
> > *    command ->  curl -X POST -d @eicar.com.txt
> http://localhost/test.html
> > <http://localhost/test.html>*
> >
> >      POST /abcd.html HTTP/1.1
> >      User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> > OpenSSL/1.0.1  zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> >      Accept: */*
> >      Content-Length: 68
> >      Content-Type: application/x-www-form-urlencoded
> >
> >       44
> >      X5O!P%@AP
> [4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> >       0
> >
> > 2. *When i send same with file -> Virus Not Detected*
> >
> >      *command -> curl -i -F name=eicar.com.txt -F
> filedata=@eicar.com.txt*
> > *http://localhost/test.html <http://localhost/test.html>*
> >
> >       POST / HTTP/1.1
> >       User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> > OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> >       Accept: */*
> >       Content-Length: 369
> >       Expect: 100-continue
> >       Content-Type: multipart/form-data;
> > boundary=----------------------------221b58daed79
> >
> >       171
> >       ------------------------------221b58daed79
> >      Content-Disposition: form-data; name="name"
> >
> >      eicar.com.txt
> >      ------------------------------221b58daed79
> >      Content-Disposition: form-data; name="filedata";
> > filename="eicar.com.txt"
> >      Content-Type: text/plain
> >
> >      X5O!P%@AP
> [4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> >      ------------------------------221b58daed79--
> >       0
> >
> > Any suggestions what i am missing?
> >
> > Thanks
> > _______________________________________________
> > http://lurker.clamav.net/list/clamav-devel.html
> > Please submit your patches to our Bugzilla: http://bugs.clamav.net
> >
> > http://www.clamav.net/contact.html#ml
> >
>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> clamav-devel mailing list
> clamav-devel at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel
>
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
>
> ------------------------------
>
> End of clamav-devel Digest, Vol 126, Issue 4
> ********************************************
>


More information about the clamav-devel mailing list