clamav scan detects problem

chatwizrd · August 24, 2010, 09:35:02 AM

/usr/local/www/apache22/data/roundcube/program/js/tiny_mce/plugins/paste/js/pasteword.js: PUA.HTML.Infected.WebPage-1 FOUND

Clamav tags this file as a pua.

What can we do to resolve this issue?

alec · August 24, 2010, 12:13:35 PM

# clamscan pasteword.js
pasteword.js: OK

----------- SCAN SUMMARY -----------
Known viruses: 817327
Engine version: 0.96.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 3.534 sec (0 m 3 s)

chatwizrd · August 24, 2010, 04:22:26 PM

Guess you didnt enable pua then did you...

--enable-pua=yes

alec · August 25, 2010, 02:44:41 AM

Right, I didn't. I've found that signature for this PUA is

Code Select

<iframe{WILDCARD_ANY_STRING}</iframe>{WILDCARD_ANY_STRING}<html>
So, this could be simply fixed with this patch:

Code Select


--- pasteword.old       2010-08-25 08:34:48.000000000 +0200
+++ pasteword.js        2010-08-25 08:41:05.457746590 +0200
@@ -5,7 +5,7 @@
                var ed = tinyMCEPopup.editor, el = document.getElementById('iframecontainer'), ifr, doc, css, cssHTML = '';
 
                // Create iframe
-               el.innerHTML = '';
+               el.innerHTML = '<' + 'iframe id="iframe" src="javascript:\'\';" frameBorder="0" style="border: 1px solid gray">';
                ifr = document.getElementById('iframe');
                doc = ifr.contentWindow.document;

clamav scan detects problem

chatwizrd

alec

chatwizrd

alec