使用 PHP 的 IMAP 库触发卡巴斯基的防病毒软件

发布于 2024-08-24 23:04:02 字数 2372 浏览 9 评论 0原文

我今天刚刚开始使用 PHP 的 IMAP 库,当调用 imap_fetchbody 或 imap_body 时,它会触发我的卡巴斯基防病毒软件。这些病毒是Trojan.Win32.Agent.dmyq和Trojan.Win32.FraudPack.aoda。我正在使用 XAMPP 和 Kaspersky AV 的本地开发机器上运行它。

现在,我确信那里有病毒,因为盒子里有垃圾邮件(现在谁不需要伟哥或维柯丁?)。我知道,由于原始身体包含执着和不同的哑剧类型,所以身体里可能有不好的东西。

所以我的问题是:使用这些库有什么风险吗?

我假设 IMAP 功能正在检索正文,将其缓存到磁盘/内存,并且 AV 扫描它看到的数据。

这是正确的吗?使用这个库是否存在任何已知的安全问题(我找不到任何问题)?它是否完美地清理了缓存的消息部分,或者病毒文件可能位于某处?

还有比这更好的方法从正文中获取纯文本吗?现在我正在使用以下代码(归功于 Kevin Steffer):

function get_mime_type(&$structure) {
   $primary_mime_type = array("TEXT", "MULTIPART","MESSAGE", "APPLICATION", "AUDIO","IMAGE", "VIDEO", "OTHER");
   if($structure->subtype) {
       return $primary_mime_type[(int) $structure->type] . '/' .$structure->subtype;
   }
       return "TEXT/PLAIN";
}

function get_part($stream, $msg_number, $mime_type, $structure = false, $part_number = false) {

   if(!$structure) {
      $structure = imap_fetchstructure($stream, $msg_number);
   }
   if($structure) {
      if($mime_type == get_mime_type($structure)) {
          if(!$part_number) {
              $part_number = "1";
          }
          $text = imap_fetchbody($stream, $msg_number, $part_number);
          if($structure->encoding == 3) {
              return imap_base64($text);
          } else if($structure->encoding == 4) {
              return imap_qprint($text);
          } else {
              return $text;
          }
      }

      if($structure->type == 1) /* multipart */ {
          while(list($index, $sub_structure) = each($structure->parts)) {
              if($part_number) {
                  $prefix = $part_number . '.';
              }
              $data = get_part($stream, $msg_number, $mime_type, $sub_structure,$prefix .    ($index + 1));
              if($data) {
                 return $data;
              }
          } // END OF WHILE
       } // END OF MULTIPART
   } // END OF STRUTURE
   return false;
} // END OF FUNCTION

$connection = imap_open($server, $login, $password);
$count      = imap_num_msg($connection);
for($i = 1; $i <= $count; $i++) {
   $header  = imap_headerinfo($connection, $i);
   $from    = $header->fromaddress;
   $to      = $header->toaddress;
   $subject = $header->subject;
   $date    = $header->date;
   $body    = get_part($connection, $i, "TEXT/PLAIN");
}

I just started today working with PHP's IMAP library, and while imap_fetchbody or imap_body are called, it is triggering my Kaspersky antivirus. The viruses are Trojan.Win32.Agent.dmyq and Trojan.Win32.FraudPack.aoda. I am running this off a local development machine with XAMPP and Kaspersky AV.

Now, I am sure there are viruses there since there is spam in the box (who doesn't need a some viagra or vicodin these days?). And I know that since the raw body includes attachments and different mime-types, bad stuff can be in the body.

So my question is: are there any risks using these libraries?

I am assuming that the IMAP functions are retrieving the body, caching it to disk/memory and the AV scanning it sees the data.

Is that correct? Are there any known security concerns using this library (I couldn't find any)? Does it clean up cached message parts perfectly or might viral files be sitting somewhere?

Is there a better way to get plain text out of the body than this? Right now I am using the following code (credit to Kevin Steffer):

function get_mime_type(&$structure) {
   $primary_mime_type = array("TEXT", "MULTIPART","MESSAGE", "APPLICATION", "AUDIO","IMAGE", "VIDEO", "OTHER");
   if($structure->subtype) {
       return $primary_mime_type[(int) $structure->type] . '/' .$structure->subtype;
   }
       return "TEXT/PLAIN";
}

function get_part($stream, $msg_number, $mime_type, $structure = false, $part_number = false) {

   if(!$structure) {
      $structure = imap_fetchstructure($stream, $msg_number);
   }
   if($structure) {
      if($mime_type == get_mime_type($structure)) {
          if(!$part_number) {
              $part_number = "1";
          }
          $text = imap_fetchbody($stream, $msg_number, $part_number);
          if($structure->encoding == 3) {
              return imap_base64($text);
          } else if($structure->encoding == 4) {
              return imap_qprint($text);
          } else {
              return $text;
          }
      }

      if($structure->type == 1) /* multipart */ {
          while(list($index, $sub_structure) = each($structure->parts)) {
              if($part_number) {
                  $prefix = $part_number . '.';
              }
              $data = get_part($stream, $msg_number, $mime_type, $sub_structure,$prefix .    ($index + 1));
              if($data) {
                 return $data;
              }
          } // END OF WHILE
       } // END OF MULTIPART
   } // END OF STRUTURE
   return false;
} // END OF FUNCTION

$connection = imap_open($server, $login, $password);
$count      = imap_num_msg($connection);
for($i = 1; $i <= $count; $i++) {
   $header  = imap_headerinfo($connection, $i);
   $from    = $header->fromaddress;
   $to      = $header->toaddress;
   $subject = $header->subject;
   $date    = $header->date;
   $body    = get_part($connection, $i, "TEXT/PLAIN");
}

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

新一帅帅 2024-08-31 23:04:03

看来你的猜测是准确的。 IMAP 本身没问题。你对其中内容所做的事情就是危险的。

病毒电子邮件的危险在于用户可能会打开 .exe 附件或其他内容,因此要检查的是不良附件和潜在的邪恶 HTML。只要您处理附件的代码不告诉用户打开它们,并且这只是自动处理或其他什么,您就可以开始了。如果您打算输出 HTML 内容,请务必使用 HTML Purifier 之类的工具。

Your guess seems accurate. IMAP itself is fine. What you do with the contents is what's dangerous.

What's dangerous about virus e-mails is that users might open a .exe attachment or something, so bad attachments and potentially evil HTML are what's being checked. As long as your code handling attachments doesn't tell the user to open them and this is just automatic processing or whatever, you're good to go. If you're planning on outputting HTML contents, be sure to use something like HTML Purifier.

巴黎夜雨 2024-08-31 23:04:03

反病毒软件很可能在这些签名通过网络堆栈时检测它们。您应该能够从卡巴斯基向您提供的消息中辨别检测的来源。

The AV is detecting these signatures as they pass through the networking stack, most likely. You should be able to tell the source of the detection from the messages Kaspersky is giving you.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文