[Snort-sigs] Write up for 4148

James Affeld jamesaffeld at ...144...
Tue May 16 13:42:50 EDT 2006

Rule:  WEB-CLIENT DHTML Editing ActiveX Object Access


Summary: Hostile web sites can upload arbitrary files
from hosts using unpatched IE 5 browsers

Impact: disclosure of arbitrary files, potentially
including password caches.  If combined with another
attack allowing file search for strings characteristic
of credit card numbers, this could be very bad.  

Detailed Information: An ActiveX object intended to
provide for WYSIWYG editing on web forms and the like
has a flaw which allows a hostile web site to upload
arbitrary files from a browsing computer if that
computer is using unpatched Internet Explorer 5

Affected Systems:
Unpatched IE 5
Attack Scenarios:

Ease of Attack:
False Positives:
Many sites use this feature legitimately for WYSIWYG
editing on web forms.  www.blackboard.com is one.  
False Negatives:

Corrective Action:
Patch all systems using IE 5.
Information summarized from rule references, no
original/new data supplied, apart from FP source.  
Additional References:

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

More information about the Snort-sigs mailing list