On Jul 1, 2012, at 10:13 PM, Hydriz Wikipedia wrote:
As far as I know, the chances are rather slim, because the MediaWiki software has a malware checker (I think).
Perhaps we shall see what outputs from the ClamAV checking, before we can know what is happening.
MediaWiki supports running ClamAV on upload, but WMF isn't running one. I used to run multiple checks on uploads to Wikimedia Commons, until the server where it ran had a disk failure. AFAIK, there's no extra check being done at all.
On 02/07/12 05:27, Kevin Day wrote:
I've been having a lot of problems with ClamAV crashing, so I've temporarily switched to F-Prot which *did* find something wrong with the earlier mentioned file, as well as two others:
[Found trojan] <JS/Redir.HY (exact, not disinfectable)> /z/public/pub/wikimedia/images/wiktionary/fj/c/c4/citibank-car-loan.pdf [Found exploit] <CVE-2009-0658 (not disinfectable)> /z/public/pub/wikimedia/images/wikisource/ar/7/7d/الحراب_في_صدر_البهاء_والباب.pdf [Found exploit] <CVE-2009-0658 (not disinfectable)> /z/public/pub/wikimedia/images/wikisource/ar/b/be/السنة_لابن_حنبل.pdf
At the rate it's going, it's going to take several days to finish, even with several running in parallel. I'll let it finish, but it's looking like at minimum there are some old PDFs that have some exploit code in them.
-- Kevin
Interesting. I had a really simple code in that project for detecting CVE-2009-0658. Turns out it would have caught it: الحراب_في_صدر_البهاء_والباب.pdf PDF uses JBIG2. Beware of the 0-day! السنة_لابن_حنبل.pdf PDF uses JBIG2. Beware of the 0-day!
Although looking to http://ar.wikisource.org/wiki/%D9%85%D9%84%D9%81:%D8%A7%D9%84%D8%B3%D9%86%D8... and http://ar.wikisource.org/wiki/%D9%85%D9%84%D9%81:%D8%A7%D9%84%D8%B3%D9%86%D8..., they could be false positives.
These other files are also malware: http://ftpmirror.your.org/pub/wikimedia/images/wiktionary/fj/4/4a/quick-mone... http://ftpmirror.your.org/pub/wikimedia/images/wiktionary/fj/0/01/loan-perso... those three files were uploaded by the same user, and are the only files ever uploaded to fjwiktionary.
You may also find some executables. I remember that someone uploaded once as proof of concept a wine cmd.exe binary. There were also people uploading embedded files and other nasty bits, but they *should* be deleted. Clearly we failed here.
As for Nemo bug for detecting wrong pdfs, it's a daunting task. You would need a -quite complete- pdf parser (and it's not a simple format!). Even worse, CVE-2009-0658 was an Adobe vulnerability parsing JBIG2 images, so you would need to verify if the file is consistent or not (OTOH, detecting usage of JBIG2 is simpler).
Thanks, Kevin!