[Snort-sigs] Avoidance of 2437.5 (WEB-CLIENT RealPlayer arbitrary javascript command attempt)

nnposter at ...592... nnposter at ...592...
Fri Jul 2 17:07:00 EDT 2004


Rule:  WEB-CLIENT RealPlayer arbitrary javascript command attempt

--
Sid: 2437

--
Summary:

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:

--
False Negatives:
Current version of the rule incorrectly assumes specific spacing.
As a result, an attacker can easily get around the signature.

See http://www.faqs.org/rfcs/rfc2045.html
See http://www.faqs.org/rfcs/rfc822.html
--
Corrective Action:

--
Contributors:

-- 
Additional References:


I am proposing to follow the MIME header with "\s*" instead of "\s+":

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"WEB-CLIENT RealPlayer arbitrary javascript command attempt"; 
flow:to_client,established; content:"Content-Type|3A|"; nocase; 
pcre:"/^Content-Type\x3a\s*application\x2fsmi.*?<area[\s\n\r]+href=[\x22\x27]file\x3ajavascript\x3a/smi"; 
reference:bugtraq,8453; reference:bugtraq,9738; 
reference:cve,2003-0726; classtype:attempted-user; sid:2437; rev:6;)




More information about the Snort-sigs mailing list