Snort mailing list archives
Re: False positive?
From: Shirk Dog <shirkdog_list () hotmail com>
Date: Mon, 11 Apr 2011 22:54:34 -0400
There is also bad web design with the mhtml vulnerability with some websites matching the triggering condition. Shirkdog Free your mind... http://www.shirkdog.us Date: Mon, 11 Apr 2011 21:11:20 -0400 From: jesler () sourcefire com To: Shawn.Jefferson () bcferries com CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] False positive? Unfortunately I'm not sure what to tell you, that website exactly matches the vulnerability description and testing that we have done in house. Import of the same exact css time after time after time. @import url("Home/AM-Home.css");@import url("Home/AM-Home.css");@import url("Home/AM-Home.css"); It's not a false positive, as that's the triggering condition for the vulnerability. Poor web design? Maybe, but there is a lot of really interesting code on that page. Take a look at the source. J On Mon, Apr 11, 2011 at 7:17 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com> wrote: The following site triggered SID 1:18196 WEB-CLIENT Microsoft Internet Explorer CSS importer use-after-free attempt. hxxp://www.automagic.com/ It looks to me like a false positive, in that there doesn’t appear to be an exploit, but just poor web design. Can someone with more knowledge of how this vulnerability is exploited take a look and share your thoughts? Shawn ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org | http://blog.clamav.net Twitter: http://twitter.com/snort ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- False positive? Jefferson, Shawn (Apr 11)
- Re: False positive? Joel Esler (Apr 11)
- Re: False positive? Shirk Dog (Apr 11)
- Re: False positive? Joel Esler (Apr 12)
- Re: False positive? Shirk Dog (Apr 11)
- Re: False positive? Joel Esler (Apr 11)