[Snort-sigs] Mozilla vulnerabilities

Joseph Gama josephgama at ...144...
Wed Aug 18 14:05:03 EDT 2004


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"Mozilla Firefox Certificate Spoofing";
pcre:"/META[\s]+HTTP-EQUIV[\s]*=[\s]*['"]*REFRESH['"]*[\s]+CONTENT[\s]*=[\s]*['"]*[\d]+[\s]*\;[\s]*URL[\s]*=[\s]*http[\s\S]+onunload[\s]*=[\s]*['"]+[\s\S]+document\.write[\s\S]+window\.location\.reload/i";
reference:url,http.www.securiteam.com/securitynews/5EP0L1PDFG.html;
classtype:misc-activity; sid:2000000; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"Mozilla Cookie theft"; 
reference:url,http.www.securiteam.com/securitynews/5GP0T0U60M.html;
pcre:"/http\://[\w]+(\.[\w]+){1,2}%00(([\d]+\.*){4}|[\d]+|[\w]+(\.[\w]+){1,2})/i";
reference:url,http.www.securiteam.com/securitynews/5GP0T0U60M.html;
classtype:misc-activity; sid:2000000; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"Reading Local Files in Netscape 6 and Mozilla";
pcre:"/([\w]+)[\s]*=[\s]*new[\s]+XMLHttpRequest[\s\S]+\1\.open[\s]*\([\s]*['"]GET['"][\s]*,/i";
reference:url,http.www.securiteam.com/securitynews/5JP000A76K.html;
classtype:misc-activity; sid:2000000; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"Mozilla FTP View Cross-Site Scripting
Vulnerability"; content:"ftp\://"; nocase;
content:"<TITLE"; content:"<SCRIPT";
content:"</TITLE";
reference:url,http.www.securiteam.com/windowsntfocus/5MP0I0080A.html;
classtype:misc-activity; sid:2000000; rev:1;)




		
__________________________________
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail 




More information about the Snort-sigs mailing list