Followup to rule 1841 - URL spoofing vulnerability

["Schmehl, Paul L" <pauls () utdallas edu>]

Here's what Andreas Sanblad provides as exploit code in his explanation
of this vulnerability:

<body onload=init()> 
<iframe name=f height=0 width=0 style=visibility:hidden></iframe> 
<script> 
function init(){ 
f.location = "javascript://www.google.com/\n"+ 
"'<body onload=alert(document.cookie)>'"; 
} 

Sid 1841 looks for content:"javascript://\".  Here's a payload that
triggered this rule:
<a href="javascript://"
onclick="f.NewWindow('../keywordSearchHelp.htm')">

This looks like a false positive to me.  Or am I just full of it?  It
looks to me like the rule needs to be changed to content:"javascript:/\"

I'm getting a ton of these hits from our students doing normal web
surfing, and I haven't seen anything yet that looks malicious.

Comments?  Experts?  What say you?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/



-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users