TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
118
S/MIME, HTML etc. This rule triggered when an attacker could request the .eml file. The EML file can contain
encoded attachments(such as grapics, files, etc.) and all recovered/repair messages are save as .eml files. An attacker
can use this vulnerability to gain unauthorized access.
Signature ID: 1006
RealOne Player SMIL File Script Execution vulnerability
Threat Level: Warning
Industry ID: CVE-2003-0726 CVE-2004-2371 Bugtraq: 9738,8453
Signature Description: RealOne Player is a cross-platform media player by RealNetworks that plays a number of
multimedia formats including MP3, MPEG-4, Windows Media, and multiple versions of proprietary RealAudio and
RealVideo formats. RealOne Player Gold for Windows 6.0.10 .505 and prior versions are vulnerable. RealOne player
Gold 6.0.10 .505 and prior versions allows remote attackers to execute arbitrary script in the "My Computer" zone via a
specially crafted Synchronized Multimedia Integration Language (SMIL) file that will cause the player to load a series
of arbitrary URLs. If one of the URLs contains scripting code, the player will execute the scripting code in the context
of the previous URL. Patches are available at Real websites.
Signature ID: 1007
XMLHttpRequest mishandling HTTP redirect vulnerability
Threat Level: Information
Industry ID: CVE-2002-0354 Bugtraq: 4628
Signature Description: The XMLHttpRequest object (XMLHTTP) in Netscape 6.1 and Mozilla 0.9.7 allows remote
attackers to read arbitrary files and list directories on a client system by opening a URL that redirects the browser to the
file on the client, then reading the result using the responseText property.
Signature ID: 1008
Microsoft Internet Explorer Header Local Resource Access via Location: HTTP Response
Header vulnerability
Threat Level: Warning
Industry ID: CVE-2004-0549 Bugtraq: 10472
Signature Description: Microsoft, Internet Explorer 5.01 SP4 and prior verions are vulnerable. The cross domain
security model that Internet Explorer implements is to make sure that browser windows that are under the control of
different Web sites cannot interfere with each other or access each other's data, while allowing windows from the same
site to interact with each other. Internet Explorer uses cross-domain security model to maintain separation between
browser frames from different sources. A remotely exploitable cross domain vulnerability exists in Internet Explorer.
The Location response-header field is used to redirect the recipient to a location other than the Request-URI for
completion of the request or identification of a new resource. An attacker can configure a web server to send a delayed
300 response specifying a URL that points to a resource on the client's system, in the Local Machine Zone which would
cause the file to open, once the page is visited. An attacker could exploit this vulnerability by hosting the malicious
Web page on a Web site or by sending it to a victim as an HTML email. By making use of a second vulnerability
Modal Dialog Zone Bypass javascript can be executed within the victim's "My Computer" security zone.
Administrators are advised to install the updates mentioned in MS04-025.
Signature ID: 1009
Autoload readme.eml
Threat Level: Severe
Signature Description: This is an attempt is made to load and run readme.eml, which is used as an infection vector for
the nimda worm.The nimda worm affects Microsoft Windows systems and attempts to spread via email, network shares
and Microsoft IIS servers. A compromised server will attempt to spread and infect other vulnerable hosts.