[Tickets #8094] Re: phishing warning

bugs at horde.org bugs at horde.org
Tue Mar 17 16:11:30 UTC 2009 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/8094
------------------------------------------------------------------------------
  Ticket             | 8094
  Updated By         | dom.lalot at gmail.com
  Summary            | phishing warning
  Queue              | Horde Groupware Webmail Edition
  Version            | 1.2.2
  Type               | Bug
  State              | Unconfirmed
  Priority           | 1. Low
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


dom.lalot at gmail.com (2009-03-17 12:11) wrote:

In fact, the url is over two lines:  Don't know how to patch it, and  
even it that make sense. Firefox is interpreting as a

. S�minaires du mois de mars de l'UMR 891 INSERM - Centre de Recherche
en Canc�rologie : www.univmed.fr/communication/
?id=45418&file=SEMINAIRES_MARS_09.doc
<http://www.univmed.fr/communication/?id=45418&file=SEMINAIRES_MARS_09.doc>

What has been rendered to firefox is:

       <td bgcolor="#ffffff" height="50">
       <div align="justify"><span class="uni1">&#8226;</span> <span
  class="uni2">S&eacute;minaires </span><span class="uni1">du mois de mars de
l'UMR 891 INSERM - Centre de Recherche en Canc&eacute;rologie : <a  
target="_blank"
  class="mimeStatusWarning"  
href="http://www.univmed.fr/communication/?id=45418&amp;file=SEMINAIRES_MARS_09.doc">www.univmed.fr/communication/<br>

?id=45418&amp;file=SEMINAIRES_MARS_09.doc</a></span><br>
       </div>
       </td>
     </tr>




>> Hello,
>>
>> Our communication departement email are seen with phishing warning.
>> So I added some traces in ./lib/Horde/MIME/Viewer/html.php around
>> line 117
>>
>>                         preg_match('/\.?([^\.\/]+\.[^\.\/]+)[\/?]/',
>> $link, $host1);
>>                         preg_match('/\.?([^\.\/]+\.[^\.\/ ]+)([\/
>> ].*)?$/', $target, $host2);
>>                         if (!(count($host1) && count($host2)) ||
>>                             strcasecmp($host1[1], $host2[1]) !== 0) {
>> Horde::logMessage("tracedom2 l:$link t:$target ".$host1[1]."
>> ".$host2[1], __FILE__, __LINE__, PEAR_LOG_ERR);
>>                             $data =
>> preg_replace('/href\s*=\s*["\']?\s*(?:http|https|ftp):\/\/' .
>> preg_quote($m[1][$i], '/') .
>> '["\']?[^>]*>\s*(?:(?:http|https|ftp):\/\/)?' . preg_quote($m[2][$i],
>> '/') . '<\/a/is', 'class="mimeStatusWarning" $0', $data);
>>                             $phish_warn = true;
>>                         }
>>
>> it produces that:
>>  tracedom2
>> l:www.univmed.fr/communication/?id=45418&amp;file=seminaires_mars_09.doc
>> t:www.univmed.fr/communication/^M
>> ?id=45418&amp;file=seminaires_mars_09.doc univmed.fr ^M
>> ?id=45418&amp;file=seminaires_mars_09.doc [pid 30835 on line 120 of
>> "/var/www/perso/horde-webmail-1.2.2/lib/Horde/MIME/Viewer/html.php"]
>>
>> which means:
>> link and target are equal (may be should we test for equality first,
>> could be faster than regexp..) and after there is a confusion for the
>> value of host2. Debugging the regular expression is not easy. I have
>> no patch to put. Prefer leave Mickael have a look..
>>
>> I'm quite sure that /?id= is confusing the regexp
>>
>> Dom
>>
>>
>>
>
> I've added the mail in attachment
>

More information about the bugs mailing list