jvoisin · camlafit · Jul 29, 2019 · Jul 30, 2019
diff --git a/php-malware-finder/whitelist.yar b/php-malware-finder/whitelist.yar
@@ -11,6 +11,7 @@ include "whitelists/phpmyadmin.yar"
 include "whitelists/magento1ce.yar"
 include "whitelists/magento2.yar"
 include "whitelists/prestashop.yar"
+include "whitelists/Spip.yar"
 include "whitelists/custom.yar"
 
 
@@ -125,5 +126,6 @@ private rule IsWhitelisted
         Dotclear or
         Owncloud or
         Phpmyadmin or
+        Spip or
         Misc
 }
diff --git a/php-malware-finder/whitelists/Spip.yar b/php-malware-finder/whitelists/Spip.yar
@@ -0,0 +1,259 @@
+include "Spip/spip-1.8.3b.yar"
+include "Spip/spip-1.9.1i.yar"
+include "Spip/spip-1.9.2f.yar"
+include "Spip/spip-1.9.2g.yar"
+include "Spip/spip-1.9.2h.yar"
+include "Spip/spip-1.9.2i.yar"
+include "Spip/spip-1.9.2j.yar"
+include "Spip/spip-1.9.2k.yar"
+include "Spip/spip-1.9.2m.yar"
+include "Spip/spip-1.9.2n.yar"
+include "Spip/spip-1.9.2o.yar"
+include "Spip/spip-1.9.2p.yar"
+include "Spip/spip-2-stable.yar"
+include "Spip/spip-2.0.0.yar"
+include "Spip/spip-2.0.1.yar"
+include "Spip/spip-2.0.10.yar"
+include "Spip/spip-2.0.11.yar"
+include "Spip/spip-2.0.12.yar"
+include "Spip/spip-2.0.13.yar"
+include "Spip/spip-2.0.14.yar"
+include "Spip/spip-2.0.15.yar"
+include "Spip/spip-2.0.16.yar"
+include "Spip/spip-2.0.17.yar"
+include "Spip/spip-2.0.18.yar"
+include "Spip/spip-2.0.19.yar"
+include "Spip/spip-2.0.2.yar"
+include "Spip/spip-2.0.20.yar"
+include "Spip/spip-2.0.21.yar"
+include "Spip/spip-2.0.22.yar"
+include "Spip/spip-2.0.23.yar"
+include "Spip/spip-2.0.24.yar"
+include "Spip/spip-2.0.25.yar"
+include "Spip/spip-2.0.26.yar"
+include "Spip/spip-2.0.3.yar"
+include "Spip/spip-2.0.5.yar"
+include "Spip/spip-2.0.6.yar"
+include "Spip/spip-2.0.7.yar"
+include "Spip/spip-2.0.8.yar"
+include "Spip/spip-2.0.9.yar"
+include "Spip/spip-2.1.0.yar"
+include "Spip/spip-2.1.1.yar"
+include "Spip/spip-2.1.10.yar"
+include "Spip/spip-2.1.11.yar"
+include "Spip/spip-2.1.12.yar"
+include "Spip/spip-2.1.13.yar"
+include "Spip/spip-2.1.14.yar"
+include "Spip/spip-2.1.15.yar"
+include "Spip/spip-2.1.16.yar"
+include "Spip/spip-2.1.17.yar"
+include "Spip/spip-2.1.18.yar"
+include "Spip/spip-2.1.19.yar"
+include "Spip/spip-2.1.2.yar"
+include "Spip/spip-2.1.20.yar"
+include "Spip/spip-2.1.21.yar"
+include "Spip/spip-2.1.22.yar"
+include "Spip/spip-2.1.23.yar"
+include "Spip/spip-2.1.24.yar"
+include "Spip/spip-2.1.25.yar"
+include "Spip/spip-2.1.26.yar"
+include "Spip/spip-2.1.27.yar"
+include "Spip/spip-2.1.28.yar"
+include "Spip/spip-2.1.29.yar"
+include "Spip/spip-2.1.3.yar"
+include "Spip/spip-2.1.30.yar"
+include "Spip/spip-2.1.4.yar"
+include "Spip/spip-2.1.5.yar"
+include "Spip/spip-2.1.6.yar"
+include "Spip/spip-2.1.7.yar"
+include "Spip/spip-2.1.8.yar"
+include "Spip/spip-2.1.9.yar"
+include "Spip/spip-3.0.0.yar"
+include "Spip/spip-3.0.0-alpha1.yar"
+include "Spip/spip-3.0.0-beta.yar"
+include "Spip/spip-3.0.0-beta2.yar"
+include "Spip/spip-3.0.0-rc.yar"
+include "Spip/spip-3.0.1.yar"
+include "Spip/spip-3.0.10.yar"
+include "Spip/spip-3.0.11.yar"
+include "Spip/spip-3.0.12.yar"
+include "Spip/spip-3.0.13.yar"
+include "Spip/spip-3.0.14.yar"
+include "Spip/spip-3.0.15.yar"
+include "Spip/spip-3.0.16.yar"
+include "Spip/spip-3.0.17.yar"
+include "Spip/spip-3.0.18.yar"
+include "Spip/spip-3.0.19.yar"
+include "Spip/spip-3.0.2.yar"
+include "Spip/spip-3.0.20.yar"
+include "Spip/spip-3.0.21.yar"
+include "Spip/spip-3.0.22.yar"
+include "Spip/spip-3.0.23.yar"
+include "Spip/spip-3.0.24.yar"
+include "Spip/spip-3.0.25.yar"
+include "Spip/spip-3.0.26.yar"
+include "Spip/spip-3.0.27.yar"
+include "Spip/spip-3.0.28.yar"
+include "Spip/spip-3.0.3.yar"
+include "Spip/spip-3.0.4.yar"
+include "Spip/spip-3.0.5.yar"
+include "Spip/spip-3.0.6.yar"
+include "Spip/spip-3.0.7.yar"
+include "Spip/spip-3.0.8.yar"
+include "Spip/spip-3.0.9.yar"
+include "Spip/spip-3.1.0.yar"
+include "Spip/spip-3.1.0-alpha.yar"
+include "Spip/spip-3.1.0-beta.yar"
+include "Spip/spip-3.1.0-rc.yar"
+include "Spip/spip-3.1.0-rc2.yar"
+include "Spip/spip-3.1.0-rc3.yar"
+include "Spip/spip-3.1.1.yar"
+include "Spip/spip-3.1.10.yar"
+include "Spip/spip-3.1.2.yar"
+include "Spip/spip-3.1.3.yar"
+include "Spip/spip-3.1.4.yar"
+include "Spip/spip-3.1.5.yar"
+include "Spip/spip-3.1.6.yar"
+include "Spip/spip-3.1.7.yar"
+include "Spip/spip-3.1.8.yar"
+include "Spip/spip-3.1.9.yar"
+include "Spip/spip-3.2-alpha-1.yar"
+include "Spip/spip-3.2.0.yar"
+include "Spip/spip-3.2.0-beta.yar"
+include "Spip/spip-3.2.0beta2.yar"
+include "Spip/spip-3.2.0beta3.yar"
+include "Spip/spip-3.2.1.yar"
+include "Spip/spip-3.2.2.yar"
+include "Spip/spip-3.2.3.yar"
+include "Spip/spip-3.2.4.yar"
+private rule Spip
+{    condition:
+        Spip183b or
+        Spip191i or
+        Spip192f or
+        Spip192g or
+        Spip192h or
+        Spip192i or
+        Spip192j or
+        Spip192k or
+        Spip192m or
+        Spip192n or
+        Spip192o or
+        Spip192p or
+        Spip2stable or
+        Spip200 or
+        Spip201 or
+        Spip2010 or
+        Spip2011 or
+        Spip2012 or
+        Spip2013 or
+        Spip2014 or
+        Spip2015 or
+        Spip2016 or
+        Spip2017 or
+        Spip2018 or
+        Spip2019 or
+        Spip202 or
+        Spip2020 or
+        Spip2021 or
+        Spip2022 or
+        Spip2023 or
+        Spip2024 or
+        Spip2025 or
+        Spip2026 or
+        Spip203 or
+        Spip205 or
+        Spip206 or
+        Spip207 or
+        Spip208 or
+        Spip209 or
+        Spip210 or
+        Spip211 or
+        Spip2110 or
+        Spip2111 or
+        Spip2112 or
+        Spip2113 or
+        Spip2114 or
+        Spip2115 or
+        Spip2116 or
+        Spip2117 or
+        Spip2118 or
+        Spip2119 or
+        Spip212 or
+        Spip2120 or
+        Spip2121 or
+        Spip2122 or
+        Spip2123 or
+        Spip2124 or
+        Spip2125 or
+        Spip2126 or
+        Spip2127 or
+        Spip2128 or
+        Spip2129 or
+        Spip213 or
+        Spip2130 or
+        Spip214 or
+        Spip215 or
+        Spip216 or
+        Spip217 or
+        Spip218 or
+        Spip219 or
+        Spip300 or
+        Spip300alpha1 or
+        Spip300beta or
+        Spip300beta2 or
+        Spip300rc or
+        Spip301 or
+        Spip3010 or
+        Spip3011 or
+        Spip3012 or
+        Spip3013 or
+        Spip3014 or
+        Spip3015 or
+        Spip3016 or
+        Spip3017 or
+        Spip3018 or
+        Spip3019 or
+        Spip302 or
+        Spip3020 or
+        Spip3021 or
+        Spip3022 or
+        Spip3023 or
+        Spip3024 or
+        Spip3025 or
+        Spip3026 or
+        Spip3027 or
+        Spip3028 or
+        Spip303 or
+        Spip304 or
+        Spip305 or
+        Spip306 or
+        Spip307 or
+        Spip308 or
+        Spip309 or
+        Spip310 or
+        Spip310alpha or
+        Spip310beta or
+        Spip310rc or
+        Spip310rc2 or
+        Spip310rc3 or
+        Spip311 or
+        Spip3110 or
+        Spip312 or
+        Spip313 or
+        Spip314 or
+        Spip315 or
+        Spip316 or
+        Spip317 or
+        Spip318 or
+        Spip319 or
+        Spip32alpha1 or
+        Spip320 or
+        Spip320beta or
+        Spip320beta2 or
+        Spip320beta3 or
+        Spip321 or
+        Spip322 or
+        Spip323 or
+        Spip324
+}
diff --git a/php-malware-finder/whitelists/Spip/spip-1.8.3b.yar b/php-malware-finder/whitelists/Spip/spip-1.8.3b.yar
@@ -0,0 +1,12 @@
+import "hash"
+
+private rule Spip183b
+{
+	condition:
+		/* Spip183b */
+		hash.sha1(0, filesize) == "2b2e67bb35d79592b73fdff33366c46b2de40820" or // spip/inc-calcul.php3
+		hash.sha1(0, filesize) == "c6a1b628befb4fc9c841d6fd7680447006a4bc47" or // spip/extract_pdf.php
+		hash.sha1(0, filesize) == "522fc9ed063c74992fd5abacb94c348209e919a2" or // spip/ecrire/inc_db_mysql.php3
+		hash.sha1(0, filesize) == "74631526e110d34f48802e208d2ac4a707d84601" or // spip/ecrire/inc_version.php3
+		false
+}
diff --git a/php-malware-finder/whitelists/Spip/spip-1.9.1i.yar b/php-malware-finder/whitelists/Spip/spip-1.9.1i.yar
@@ -0,0 +1,20 @@
+import "hash"
+
+private rule Spip191i
+{
+	condition:
+		/* Spip191i */
+		hash.sha1(0, filesize) == "633868e16a747afc5acaeae5c94642a0c0a82d27" or // spip/ecrire/exec/import_all.php
+		hash.sha1(0, filesize) == "eac1bd5dd68993b772424586476bbbf30b7e072f" or // spip/ecrire/exec/export_all.php
+		hash.sha1(0, filesize) == "e56b48670e31218a7c856fad63f60a6e2fa342f3" or // spip/ecrire/extract/pdf.php
+		hash.sha1(0, filesize) == "b3599c0787d45c7f08a493cd61187571df5fc187" or // spip/ecrire/public/criteres.php
+		hash.sha1(0, filesize) == "80676a96aac2bbd50d49cf5a665535aab15db944" or // spip/ecrire/public/parametrer.php
+		hash.sha1(0, filesize) == "5b34b23c23315a560c595f8a2c2b785d79a81daf" or // spip/ecrire/inc/import.php
+		hash.sha1(0, filesize) == "27f9b9e4490d6528242a2e230c7d420cf8555f76" or // spip/ecrire/inc/utils.php
+		hash.sha1(0, filesize) == "34d8e486b589e40b10489862c1c0259a02fd4c1a" or // spip/ecrire/inc/filtres_images.php
+		hash.sha1(0, filesize) == "2b88f077de5203bdc0b02b66030e31ba4db732f6" or // spip/ecrire/inc/plugin.php
+		hash.sha1(0, filesize) == "bdd85ad5ca0d67a5de47bab08f03eae00f476fa8" or // spip/ecrire/inc/flock.php
+		hash.sha1(0, filesize) == "993322d21803e6070116489685759653d9319113" or // spip/ecrire/inc/presentation.php
+		hash.sha1(0, filesize) == "9b333daec7009d70a8cba69bae1e21da69c33181" or // spip/ecrire/base/db_mysql.php
+		false
+}
diff --git a/php-malware-finder/whitelists/Spip/spip-1.9.2f.yar b/php-malware-finder/whitelists/Spip/spip-1.9.2f.yar
@@ -0,0 +1,26 @@
+import "hash"
+
+private rule Spip192f
+{
+	condition:
+		/* Spip192f */
+		hash.sha1(0, filesize) == "8d3347f63b24995c503966985ca65988c9c82806" or // spip/ecrire/exec/import_all.php
+		hash.sha1(0, filesize) == "0c97bd668f16459bf784e0cd8531df5bd449f229" or // spip/ecrire/exec/recherche.php
+		hash.sha1(0, filesize) == "09724694d6eb8a67b7f096a680a30867a8309d17" or // spip/ecrire/extract/pdf.php
+		hash.sha1(0, filesize) == "d4b7d89aa843ed04c044073f2a8ce70494c70fea" or // spip/ecrire/public/criteres.php
+		hash.sha1(0, filesize) == "fb0e9c8f42070642c269dc332451722e04b3562b" or // spip/ecrire/public/parametrer.php
+		hash.sha1(0, filesize) == "4ea473a1c1b2e96e2829c5b6c5ac861c5899efee" or // spip/ecrire/inc/vieilles_defs.php
+		hash.sha1(0, filesize) == "fdde185dc4a60a39ec7b8e667d33ae9bdc5b836e" or // spip/ecrire/inc/import.php
+		hash.sha1(0, filesize) == "208f79af9dcc6f5788b8d4af698d9284af26d22f" or // spip/ecrire/inc/export.php
+		hash.sha1(0, filesize) == "c216d23343a644690071883cbd02e0c42e577900" or // spip/ecrire/inc/compacte_js.php
+		hash.sha1(0, filesize) == "7223299b9c6be70481a329acf34011f5ca52e4ad" or // spip/ecrire/inc/utils.php
+		hash.sha1(0, filesize) == "6728932884511317279303c6590be77d78f123bb" or // spip/ecrire/inc/filtres_images.php
+		hash.sha1(0, filesize) == "f9b5dc20c4542b2f9d565b5e250e89d874a91c69" or // spip/ecrire/inc/plugin.php
+		hash.sha1(0, filesize) == "8d10e71f3b5cbbdf2de92ccf51f6bdfa60a41a8f" or // spip/ecrire/inc/flock.php
+		hash.sha1(0, filesize) == "42dbcc11d294054b4b513c7cc18563d898842e97" or // spip/ecrire/inc/pclzip.php
+		hash.sha1(0, filesize) == "5226b24a0ec455f62050ed1e52e025150b75517e" or // spip/ecrire/inc/import_insere.php
+		hash.sha1(0, filesize) == "a0b890c8162a92b41a518d68be46031e49226f6e" or // spip/ecrire/inc/minipres.php
+		hash.sha1(0, filesize) == "184fea12a6422b5ade617af31b1258d6bb278e80" or // spip/ecrire/inc/presentation.php
+		hash.sha1(0, filesize) == "a4a9c3f7d639f9f88891bc1d2629c8259aa15903" or // spip/ecrire/base/db_mysql.php
+		false
+}
diff --git a/php-malware-finder/whitelists/Spip/spip-1.9.2g.yar b/php-malware-finder/whitelists/Spip/spip-1.9.2g.yar
@@ -0,0 +1,26 @@
+import "hash"
+
+private rule Spip192g
+{
+	condition:
+		/* Spip192g */
+		hash.sha1(0, filesize) == "8d3347f63b24995c503966985ca65988c9c82806" or // spip/ecrire/exec/import_all.php
+		hash.sha1(0, filesize) == "0c97bd668f16459bf784e0cd8531df5bd449f229" or // spip/ecrire/exec/recherche.php
+		hash.sha1(0, filesize) == "09724694d6eb8a67b7f096a680a30867a8309d17" or // spip/ecrire/extract/pdf.php
+		hash.sha1(0, filesize) == "d4b7d89aa843ed04c044073f2a8ce70494c70fea" or // spip/ecrire/public/criteres.php
+		hash.sha1(0, filesize) == "fb0e9c8f42070642c269dc332451722e04b3562b" or // spip/ecrire/public/parametrer.php
+		hash.sha1(0, filesize) == "4ea473a1c1b2e96e2829c5b6c5ac861c5899efee" or // spip/ecrire/inc/vieilles_defs.php
+		hash.sha1(0, filesize) == "fdde185dc4a60a39ec7b8e667d33ae9bdc5b836e" or // spip/ecrire/inc/import.php
+		hash.sha1(0, filesize) == "208f79af9dcc6f5788b8d4af698d9284af26d22f" or // spip/ecrire/inc/export.php
+		hash.sha1(0, filesize) == "c216d23343a644690071883cbd02e0c42e577900" or // spip/ecrire/inc/compacte_js.php
+		hash.sha1(0, filesize) == "7223299b9c6be70481a329acf34011f5ca52e4ad" or // spip/ecrire/inc/utils.php
+		hash.sha1(0, filesize) == "6728932884511317279303c6590be77d78f123bb" or // spip/ecrire/inc/filtres_images.php
+		hash.sha1(0, filesize) == "f9b5dc20c4542b2f9d565b5e250e89d874a91c69" or // spip/ecrire/inc/plugin.php
+		hash.sha1(0, filesize) == "8d10e71f3b5cbbdf2de92ccf51f6bdfa60a41a8f" or // spip/ecrire/inc/flock.php
+		hash.sha1(0, filesize) == "42dbcc11d294054b4b513c7cc18563d898842e97" or // spip/ecrire/inc/pclzip.php
+		hash.sha1(0, filesize) == "5226b24a0ec455f62050ed1e52e025150b75517e" or // spip/ecrire/inc/import_insere.php
+		hash.sha1(0, filesize) == "a0b890c8162a92b41a518d68be46031e49226f6e" or // spip/ecrire/inc/minipres.php
+		hash.sha1(0, filesize) == "184fea12a6422b5ade617af31b1258d6bb278e80" or // spip/ecrire/inc/presentation.php
+		hash.sha1(0, filesize) == "a4a9c3f7d639f9f88891bc1d2629c8259aa15903" or // spip/ecrire/base/db_mysql.php
+		false
+}
diff --git a/php-malware-finder/whitelists/Spip/spip-1.9.2h.yar b/php-malware-finder/whitelists/Spip/spip-1.9.2h.yar
@@ -0,0 +1,26 @@
+import "hash"
+
+private rule Spip192h
+{
+	condition:
+		/* Spip192h */
+		hash.sha1(0, filesize) == "8d3347f63b24995c503966985ca65988c9c82806" or // spip/ecrire/exec/import_all.php
+		hash.sha1(0, filesize) == "0c97bd668f16459bf784e0cd8531df5bd449f229" or // spip/ecrire/exec/recherche.php
+		hash.sha1(0, filesize) == "09724694d6eb8a67b7f096a680a30867a8309d17" or // spip/ecrire/extract/pdf.php
+		hash.sha1(0, filesize) == "d4b7d89aa843ed04c044073f2a8ce70494c70fea" or // spip/ecrire/public/criteres.php
+		hash.sha1(0, filesize) == "fb0e9c8f42070642c269dc332451722e04b3562b" or // spip/ecrire/public/parametrer.php
+		hash.sha1(0, filesize) == "4ea473a1c1b2e96e2829c5b6c5ac861c5899efee" or // spip/ecrire/inc/vieilles_defs.php
+		hash.sha1(0, filesize) == "fdde185dc4a60a39ec7b8e667d33ae9bdc5b836e" or // spip/ecrire/inc/import.php
+		hash.sha1(0, filesize) == "208f79af9dcc6f5788b8d4af698d9284af26d22f" or // spip/ecrire/inc/export.php
+		hash.sha1(0, filesize) == "c216d23343a644690071883cbd02e0c42e577900" or // spip/ecrire/inc/compacte_js.php
+		hash.sha1(0, filesize) == "e3d3d397a9cafdd02ce40414de57b4818e3a9615" or // spip/ecrire/inc/utils.php
+		hash.sha1(0, filesize) == "6728932884511317279303c6590be77d78f123bb" or // spip/ecrire/inc/filtres_images.php
+		hash.sha1(0, filesize) == "f9b5dc20c4542b2f9d565b5e250e89d874a91c69" or // spip/ecrire/inc/plugin.php
+		hash.sha1(0, filesize) == "14862c9a93675eac69b1ceee64bfe953f33f8e86" or // spip/ecrire/inc/flock.php
+		hash.sha1(0, filesize) == "42dbcc11d294054b4b513c7cc18563d898842e97" or // spip/ecrire/inc/pclzip.php
+		hash.sha1(0, filesize) == "5226b24a0ec455f62050ed1e52e025150b75517e" or // spip/ecrire/inc/import_insere.php
+		hash.sha1(0, filesize) == "a0b890c8162a92b41a518d68be46031e49226f6e" or // spip/ecrire/inc/minipres.php
+		hash.sha1(0, filesize) == "184fea12a6422b5ade617af31b1258d6bb278e80" or // spip/ecrire/inc/presentation.php
+		hash.sha1(0, filesize) == "a4a9c3f7d639f9f88891bc1d2629c8259aa15903" or // spip/ecrire/base/db_mysql.php
+		false
+}