phpMussel icon indicating copy to clipboard operation
phpMussel copied to clipboard
verified publisher icon phpMussel

still can not detect the macro in MS doc/docx file

Open 1nFrastr opened this issue 7 years ago • 5 comments

Server information

phpMussel v1.6.0

php 5.6

WAMP SERVER on win7

Issue

Hi, thanks for your effort on this issue few days ago!

If phpMussel can detected Macro virus in Microsoft Document ? · Issue #165 · phpMussel/phpMussel

However, after enable block_macros=true , still can not detect the macro in MS doc/docx file, here is my testing sample.

Or can you share your testing files which can be detected as illegal files including macro with me?

Wating for your reply , thanks !

1nFrastr avatar Sep 13 '18 04:09 1nFrastr

Hi 1nFrastr,

Sorry about the delay. Work has been busy again the past week or so.

Macro detection in phpMussel occurs during the archive phase of scanning (because most modern formats which support macros - e.g., MS Office Documents, Spreadsheets, etc - are structured as archives, with macros being contained as various files within those archives). This means that macro detection in phpMussel relies on being able to properly interpret the content of archives.

As of 3d55dad66c0801383151f63a16ab236c2ec8f23e, a small line of code has been added to the codebase to forcibly disable archive checking, as a temporary response to a vulnerability I've recently confirmed (#167) which affects the way that Phar is being utilised currently (preventing phpMussel from executing the archive phase will protect it against this vulnerability). To my knowledge, the only way to rectify this vulnerability in a more permanent manner (i.e., so that phpMussel will be able to execute the archive phase without being affected by this vulnerability), is to ditch using Phar entirely and use some other, alternative methods to handle archives.

I have some methods in mind, but it's still a work-in-progress at the moment. Once this has been done, macro detection should start working properly again.

Maikuolan avatar Sep 15 '18 08:09 Maikuolan

Hi 1nFrastr,

I've just pulled some changes into master which resolve #167. When you've got a moment, could you update, and let me know whether macro detection works again on your end?

Cheers.

Maikuolan avatar Oct 17 '18 12:10 Maikuolan

(Sorry, I should've clarified before, but got busy and forgot. The links provided in your original message to the samples you've used, return 404 when I click on them. I don't think they uploaded properly, unfortunately).

Maikuolan avatar Oct 17 '18 12:10 Maikuolan

Sorry about that, here is the test file I used : macro_docx_2013.docx

1nFrastr avatar Oct 18 '18 03:10 1nFrastr

Cheers.

I tested the sample, and phpMussel on my end doesn't seem to be detecting it still. I might still need to make some more changes, I think. I'll do some more investigating and reply again a little later.

Maikuolan avatar Oct 18 '18 16:10 Maikuolan