LowProventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This event triggers when an HTML <script> tag has a src attribute value with a misleading extension that may evade anti-virus or other security software by misinterpreting the nature of the script file.
This signature will trigger on a tag such as <script src='sneaky.jpg'>. Normally, files with .jpg extensions are JPEG images rather than scripts, but a crafty attacker may use .jpg as a script extension to evade detection of an exploit by security software. The set of recognized extensions that should NOT appear in the script src attribute may be configured using the tuning parameter pam.html.script.extension.blacklist; the extensions blacklisted by default include avi, css, doc, docx, eot, exe, gif, htm, html, ico, jpeg, jpg, mid, mov, mp3, mpg, pdf, png, ppt, ps, swf, tif, txt, and xls.
Low
Proventia Network IPS: XPU 29.070, Proventia Desktop: 2410, RealSecure Network: XPU 29.070, RealSecure Server Sensor: XPU 29.070, Proventia-G 1.1 and earlier: XPU 29.070, Proventia Network IDS: XPU 29.070, Proventia Network MFS: XPU 29.070, IBM Security Server Protection for Windows: 2.0.300.2410, IBM Security Server Protection for Windows: 1.0.914.2410, IBM Security Server Protection for Windows: 2.1.14.2410, Proventia Server IPS for Linux technology: 29.070, Virtual Server Protection for Vmware: 1.0
Any manufacturer Web browser
Suspicious Activity
A vulnerability exists in intrusion detection and antivirus products that would allow an attacker to evade detection by using misleading extensions within script tags in an HTML document.
No remedy available as of December 4, 2010.
ISS X-Force
HTML Script Extension Evasion
http://www.iss.net/security_center/static/51568.php