Thanks Brandon.
It means file upload using multi-part form will not be detected by ClamAv.
If curl is able to send multi-part form it means other browsers can upload
virus file using multi form.
Any way to fix same?
Best Regards
Punit Kandoi
On Thu, Jul 16, 2015 at 9:30 PM, <clamav-devel-request@lists.clamav.net>
wrote:
> Send clamav-devel mailing list submissions to
> clamav-devel@lists.clamav.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel
> or, via email, send a message with subject or body 'help' to
> clamav-devel-request@lists.clamav.net
>
> You can reach the person managing the list at
> clamav-devel-owner@lists.clamav.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of clamav-devel digest..."
>
>
> Today's Topics:
>
> 1. ClamAv not detecting data when sent as file from curl (P K)
> 2. Re: ClamAv not detecting data when sent as file from curl
> (Brandon Perry)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 16 Jul 2015 21:02:39 +0530
> From: P K <pkopensrc@gmail.com>
> To: clamav-devel@lists.clamav.net
> Subject: [Clamav-devel] ClamAv not detecting data when sent as file
> from curl
> Message-ID:
> <CAL0j0DHT34PJVa5YYTh04RHf+kELGsCT8aNhYtXMLW8Bqo5k=
> w@mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Hi Guys,
>
> I am trying to send EICAR data to ClamAv by two ways:
>
> *1. By sending eicher file data as POST data -> Virus Detected*
>
> * command -> curl -X POST -d @eicar.com.txt http://localhost/test.html
> <http://localhost/test.html>*
>
> POST /abcd.html HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Accept: */*
> Content-Length: 68
> Content-Type: application/x-www-form-urlencoded
>
> 44
> X5O!P%@AP[.4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> 0
>
> 2. *When i send same with file -> Virus Not Detected*
>
> *command -> curl -i -F name=eicar.com.txt -F filedata=@eicar.com.txt*
> *http://localhost/test.html <http://localhost/test.html>*
>
> POST / HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Accept: */*
> Content-Length: 369
> Expect: 100-continue
> Content-Type: multipart/form-data;
> boundary=----------------------------221b58daed79
>
> 171
> ------------------------------221b58daed79
> Content-Disposition: form-data; name="name"
>
> eicar.com.txt
> ------------------------------221b58daed79
> Content-Disposition: form-data; name="filedata";
> filename="eicar.com.txt"
> Content-Type: text/plain
>
> X5O!P%@AP[.4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> ------------------------------221b58daed79--
> 0
>
> Any suggestions what i am missing?
>
> Thanks
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 16 Jul 2015 10:42:17 -0500
> From: Brandon Perry <bperry.volatile@gmail.com>
> To: ClamAV Development <clamav-devel@lists.clamav.net>
> Subject: Re: [Clamav-devel] ClamAv not detecting data when sent as
> file from curl
> Message-ID:
> <
> CAOJKFBBdExHRtCgpWUOLa29AD5bfyjxr0XW6XQnJ-T_scBd56w@mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> The body of the HTTP request in the first is only the EICAR file (though
> the 44 and 0 on different lines is odd), but the body of the multi-part
> form request is like embedding the EICAR file into different data (ClamAV
> doesn't know what a multi-part form is). The multi-part form is no longer
> just the EICAR test file, so the signature won't find it.
>
>
>
> On Thu, Jul 16, 2015 at 10:32 AM, P K <pkopensrc@gmail.com> wrote:
>
> > Hi Guys,
> >
> > I am trying to send EICAR data to ClamAv by two ways:
> >
> > *1. By sending eicher file data as POST data -> Virus Detected*
> >
> > * command -> curl -X POST -d @eicar.com.txt
> http://localhost/test.html
> > <http://localhost/test.html>*
> >
> > POST /abcd.html HTTP/1.1
> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> > OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> > Accept: */*
> > Content-Length: 68
> > Content-Type: application/x-www-form-urlencoded
> >
> > 44
> > X5O!P%@AP
> [4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> > 0
> >
> > 2. *When i send same with file -> Virus Not Detected*
> >
> > *command -> curl -i -F name=eicar.com.txt -F
> filedata=@eicar.com.txt*
> > *http://localhost/test.html <http://localhost/test.html>*
> >
> > POST / HTTP/1.1
> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> > OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> > Accept: */*
> > Content-Length: 369
> > Expect: 100-continue
> > Content-Type: multipart/form-data;
> > boundary=----------------------------221b58daed79
> >
> > 171
> > ------------------------------221b58daed79
> > Content-Disposition: form-data; name="name"
> >
> > eicar.com.txt
> > ------------------------------221b58daed79
> > Content-Disposition: form-data; name="filedata";
> > filename="eicar.com.txt"
> > Content-Type: text/plain
> >
> > X5O!P%@AP
> [4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> > ------------------------------221b58daed79--
> > 0
> >
> > Any suggestions what i am missing?
> >
> > Thanks
> > _______________________________________________
> > http://lurker.clamav.net/list/clamav-devel.html
> > Please submit your patches to our Bugzilla: http://bugs.clamav.net
> >
> > http://www.clamav.net/contact.html#ml
> >
>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> clamav-devel mailing list
> clamav-devel@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel
>
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
>
> ------------------------------
>
> End of clamav-devel Digest, Vol 126, Issue 4
> ********************************************
>
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
http://www.clamav.net/contact.html#ml
It means file upload using multi-part form will not be detected by ClamAv.
If curl is able to send multi-part form it means other browsers can upload
virus file using multi form.
Any way to fix same?
Best Regards
Punit Kandoi
On Thu, Jul 16, 2015 at 9:30 PM, <clamav-devel-request@lists.clamav.net>
wrote:
> Send clamav-devel mailing list submissions to
> clamav-devel@lists.clamav.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel
> or, via email, send a message with subject or body 'help' to
> clamav-devel-request@lists.clamav.net
>
> You can reach the person managing the list at
> clamav-devel-owner@lists.clamav.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of clamav-devel digest..."
>
>
> Today's Topics:
>
> 1. ClamAv not detecting data when sent as file from curl (P K)
> 2. Re: ClamAv not detecting data when sent as file from curl
> (Brandon Perry)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 16 Jul 2015 21:02:39 +0530
> From: P K <pkopensrc@gmail.com>
> To: clamav-devel@lists.clamav.net
> Subject: [Clamav-devel] ClamAv not detecting data when sent as file
> from curl
> Message-ID:
> <CAL0j0DHT34PJVa5YYTh04RHf+kELGsCT8aNhYtXMLW8Bqo5k=
> w@mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Hi Guys,
>
> I am trying to send EICAR data to ClamAv by two ways:
>
> *1. By sending eicher file data as POST data -> Virus Detected*
>
> * command -> curl -X POST -d @eicar.com.txt http://localhost/test.html
> <http://localhost/test.html>*
>
> POST /abcd.html HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Accept: */*
> Content-Length: 68
> Content-Type: application/x-www-form-urlencoded
>
> 44
> X5O!P%@AP[.4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> 0
>
> 2. *When i send same with file -> Virus Not Detected*
>
> *command -> curl -i -F name=eicar.com.txt -F filedata=@eicar.com.txt*
> *http://localhost/test.html <http://localhost/test.html>*
>
> POST / HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Accept: */*
> Content-Length: 369
> Expect: 100-continue
> Content-Type: multipart/form-data;
> boundary=----------------------------221b58daed79
>
> 171
> ------------------------------221b58daed79
> Content-Disposition: form-data; name="name"
>
> eicar.com.txt
> ------------------------------221b58daed79
> Content-Disposition: form-data; name="filedata";
> filename="eicar.com.txt"
> Content-Type: text/plain
>
> X5O!P%@AP[.4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> ------------------------------221b58daed79--
> 0
>
> Any suggestions what i am missing?
>
> Thanks
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 16 Jul 2015 10:42:17 -0500
> From: Brandon Perry <bperry.volatile@gmail.com>
> To: ClamAV Development <clamav-devel@lists.clamav.net>
> Subject: Re: [Clamav-devel] ClamAv not detecting data when sent as
> file from curl
> Message-ID:
> <
> CAOJKFBBdExHRtCgpWUOLa29AD5bfyjxr0XW6XQnJ-T_scBd56w@mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> The body of the HTTP request in the first is only the EICAR file (though
> the 44 and 0 on different lines is odd), but the body of the multi-part
> form request is like embedding the EICAR file into different data (ClamAV
> doesn't know what a multi-part form is). The multi-part form is no longer
> just the EICAR test file, so the signature won't find it.
>
>
>
> On Thu, Jul 16, 2015 at 10:32 AM, P K <pkopensrc@gmail.com> wrote:
>
> > Hi Guys,
> >
> > I am trying to send EICAR data to ClamAv by two ways:
> >
> > *1. By sending eicher file data as POST data -> Virus Detected*
> >
> > * command -> curl -X POST -d @eicar.com.txt
> http://localhost/test.html
> > <http://localhost/test.html>*
> >
> > POST /abcd.html HTTP/1.1
> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> > OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> > Accept: */*
> > Content-Length: 68
> > Content-Type: application/x-www-form-urlencoded
> >
> > 44
> > X5O!P%@AP
> [4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> > 0
> >
> > 2. *When i send same with file -> Virus Not Detected*
> >
> > *command -> curl -i -F name=eicar.com.txt -F
> filedata=@eicar.com.txt*
> > *http://localhost/test.html <http://localhost/test.html>*
> >
> > POST / HTTP/1.1
> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> > OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> > Accept: */*
> > Content-Length: 369
> > Expect: 100-continue
> > Content-Type: multipart/form-data;
> > boundary=----------------------------221b58daed79
> >
> > 171
> > ------------------------------221b58daed79
> > Content-Disposition: form-data; name="name"
> >
> > eicar.com.txt
> > ------------------------------221b58daed79
> > Content-Disposition: form-data; name="filedata";
> > filename="eicar.com.txt"
> > Content-Type: text/plain
> >
> > X5O!P%@AP
> [4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> > ------------------------------221b58daed79--
> > 0
> >
> > Any suggestions what i am missing?
> >
> > Thanks
> > _______________________________________________
> > http://lurker.clamav.net/list/clamav-devel.html
> > Please submit your patches to our Bugzilla: http://bugs.clamav.net
> >
> > http://www.clamav.net/contact.html#ml
> >
>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> clamav-devel mailing list
> clamav-devel@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel
>
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
>
> ------------------------------
>
> End of clamav-devel Digest, Vol 126, Issue 4
> ********************************************
>
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
http://www.clamav.net/contact.html#ml