Re: [Clamav-users] [SA12959] Internet Explorer IFRAME Buffer Overflow Vulnerability (fwd)

clamav Wed, 03 Nov 2004 02:05:17 -0800

> note1: ndb database format: use with v0.80
> note2: matches <iframe src=file:// ..{586}.. name="
> 
> exploit.iframe.file:3:*:3C696672616D65207372633D66696C653A2F2F{-586}6E616D653D22



It's close to what we want.  How do we account for tags like this where 
the atrtibutes aren't in order?  A regex is easy but I'm having trouble 
with doing it in signaturese.  A regex might look like 
this:
  <iframe[^>]+src=[^ >]{586,}

<iframe width="...  onload=...= height=url:... src=url:S...> 

In reality, we should never see a src > 586 bytes long.  It's just sane
html to say keep it restricted.  

-- 
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062

http://www.nsci.us/
Voice: (503) 293-7656
Fax:   (503) 885-0770

_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] [SA12959] Internet Explorer IFRAME Buffer Overflow Vulnerability (fwd)

Reply via email to