Snort mailing list archives
Followup to rule 1841 - URL spoofing vulnerability
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Thu, 20 Feb 2003 23:37:15 -0600
Here's what Andreas Sanblad provides as exploit code in his explanation of this vulnerability: <body onload=init()> <iframe name=f height=0 width=0 style=visibility:hidden></iframe> <script> function init(){ f.location = "javascript://www.google.com/\n"+ "'<body onload=alert(document.cookie)>'"; } Sid 1841 looks for content:"javascript://\". Here's a payload that triggered this rule: <a href="javascript://" onclick="f.NewWindow('../keywordSearchHelp.htm')"> This looks like a false positive to me. Or am I just full of it? It looks to me like the rule needs to be changed to content:"javascript:/\" I'm getting a ton of these hits from our students doing normal web surfing, and I haven't seen anything yet that looks malicious. Comments? Experts? What say you? Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Followup to rule 1841 - URL spoofing vulnerability Schmehl, Paul L (Feb 20)