[Snort-users] False positive?

Joel Esler jesler at ...1935...
Tue Apr 12 10:28:36 EDT 2011


I've been told by a trusted advisor that the page was created with
Dreamweaver.  Dreamweaver is very powerful and can do some miraculous
websites.  However, it can also mess a website up (and load the same CSS
three times in a row).

So it's still not a false positive, just poor use of an html designing tool.

J

On Mon, Apr 11, 2011 at 10:54 PM, Shirk Dog <shirkdog_list at ...125...>wrote:

>  There is also bad web design with the mhtml vulnerability with some
> websites matching the triggering condition.
>
>
> Shirkdog
> Free your mind...
> http://www.shirkdog.us
>
>
>
> ------------------------------
> Date: Mon, 11 Apr 2011 21:11:20 -0400
> From: jesler at ...1935...
> To: Shawn.Jefferson at ...14448...
> CC: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] False positive?
>
>
> Unfortunately I'm not sure what to tell you, that website exactly matches
> the vulnerability description and testing that we have done in house.
>  Import of the same exact css time after time after time.
>
> @import url("Home/AM-Home.css");
> @import url("Home/AM-Home.css");
> @import url("Home/AM-Home.css");
>
> It's not a false positive, as that's the triggering condition for the
> vulnerability. Poor web design?  Maybe, but there is a lot of really
> interesting code on that page.  Take a look at the source.
>
> J
>
> On Mon, Apr 11, 2011 at 7:17 PM, Jefferson, Shawn <
> Shawn.Jefferson at ...14448...> wrote:
>
>  The following site triggered SID 1:18196 WEB-CLIENT Microsoft Internet
> Explorer CSS importer use-after-free attempt.
>
> hxxp://www.automagic.com/
>
> It looks to me like a false positive, in that there doesn’t appear to be an
> exploit, but just poor web design.  Can someone with more knowledge of how
> this vulnerability is exploited take a look and share your thoughts?
>
> Shawn
>
>
>
>
> ------------------------------------------------------------------------------
> Forrester Wave Report - Recovery time is now measured in hours and minutes
> not days. Key insights are discussed in the 2010 Forrester Wave Report as
> part of an in-depth evaluation of disaster recovery service providers.
> Forrester found the best-in-class provider in terms of services and vision.
> Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> --
> Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
> http://blog.clamav.net
> Twitter:  http://twitter.com/snort
>
> ------------------------------------------------------------------------------
> Forrester Wave Report - Recovery time is now measured in hours and minutes
> not days. Key insights are discussed in the 2010 Forrester Wave Report as
> part of an in-depth evaluation of disaster recovery service providers.
> Forrester found the best-in-class provider in terms of services and vision.
> Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
>
> _______________________________________________ Snort-users mailing list
> Snort-users at lists.sourceforge.net Go to this URL to change user options or
> unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
http://blog.clamav.net
Twitter:  http://twitter.com/snort
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110412/0eda4695/attachment.html>


More information about the Snort-users mailing list