Re: Offer a new sig for detecting Mozilla Firefox location about XSS vulnerability

[Joshua Williams <joshuwi2 () sourcefire com>]

Hi rmkml,

Thanks for your submission. I'll review and test this rule and get back to
you when it's finished.

--
Josh Williams
Detection Response Team
TALOS Security Group

On Fri, Aug 5, 2016 at 1:39 PM, rmkml <rmkml () ligfy org> wrote:

> Hi,
>
> The http://etplc.org open source project offer a new sig for detecting
> Mozilla Firefox location about XSS vulnerability:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
> Mozilla Firefox Location Spoofing about xss attempt";
> flow:from_server,established; file_data; content:"about:"; nocase;
> distance:0; content:"?"; within:15; distance:0; content:"<"; within:100;
> distance:0; content:"location"; nocase; pcre:"/\babout:[a-z]+\?[^\n]+\</si";
> reference:cve,2016-5268;
> reference:url,www.mozilla.org/en-US/security/advisories/mfsa2016-83/;
> reference:url,bugzilla.mozilla.org/show_bug.cgi?id=1253673;
> classtype:misc-activity; sid:1; rev:1;)
>
> It's a first SPECIFIC signature, many variant is possible with
> JavaScript...
>
> See reference for more information.
>
> Don't forget check variables.
>
> Please send any comments.
>
> Regards
> @Rmkml
>
> ------------------------------------------------------------
> ------------------
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!