[Snort-users] False positive?

Joel Esler jesler at ...1935...
Mon Apr 11 21:11:20 EDT 2011

Unfortunately I'm not sure what to tell you, that website exactly matches
the vulnerability description and testing that we have done in house.
 Import of the same exact css time after time after time.

@import url("Home/AM-Home.css");
@import url("Home/AM-Home.css");
@import url("Home/AM-Home.css");

It's not a false positive, as that's the triggering condition for the
vulnerability. Poor web design?  Maybe, but there is a lot of really
interesting code on that page.  Take a look at the source.


On Mon, Apr 11, 2011 at 7:17 PM, Jefferson, Shawn <
Shawn.Jefferson at ...14448...> wrote:

>  The following site triggered SID 1:18196 WEB-CLIENT Microsoft Internet
> Explorer CSS importer use-after-free attempt.
> hxxp://www.automagic.com/
> It looks to me like a false positive, in that there doesn’t appear to be an
> exploit, but just poor web design.  Can someone with more knowledge of how
> this vulnerability is exploited take a look and share your thoughts?
> Shawn
> ------------------------------------------------------------------------------
> Forrester Wave Report - Recovery time is now measured in hours and minutes
> not days. Key insights are discussed in the 2010 Forrester Wave Report as
> part of an in-depth evaluation of disaster recovery service providers.
> Forrester found the best-in-class provider in terms of services and vision.
> Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
Twitter:  http://twitter.com/snort
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110411/31fddd38/attachment.html>

More information about the Snort-users mailing list