Think you have a false positive on this rule?

Sid 1-3679


INDICATOR-OBFUSCATION Multiple Products IFRAME src javascript code execution


This event is generated when javascript code is detected within an iframe on any HTTP ports


Attempted User Privilege Gain


CVSS base score 5.1

CVSS impact score 6.4

CVSS exploitability score 4.9

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL


CVSS base score 4.3

CVSS impact score 2.9

CVSS exploitability score 8.6

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Detailed information

This is solely looking for javascript embedded within an iframe. CVE-2005-1476: Firefox 1.0.3 allows remote attackers to execute arbitrary Javascript in other domains by using an IFRAME and causing the browser to navigate to a previous javascript: URL, which can lead to arbitrary code execution when combined with CVE-2005-1477.

CVE-2008-2939: Cross-site scripting (XSS) vulnerability in proxyftp.c in the modproxyftp module in Apache 2.0.63 and earlier, and modproxyftp.c in the modproxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI.

Affected systems

  • mozilla firefox 1.0.3
  • apache http_server 2.0.63
  • apache http_server 2.2.0
  • apache http_server 2.2.1
  • apache http_server 2.2.2
  • apache http_server 2.2.3
  • apache http_server 2.2.4
  • apache http_server 2.2.5
  • apache http_server 2.2.6
  • apache http_server 2.2.8
  • apache http_server 2.2.9
  • apple macosx 10.5.6
  • canonical ubuntu_linux 6.06
  • canonical ubuntu_linux 7.10
  • canonical ubuntu_linux 8.04
  • novell opensuse 10.2
  • novell opensuse 10.3
  • novell opensuse 11.0

Ease of attack


False positives

None Known

False negatives

None Known

Corrective action



  • Cisco's Talos Intelligence Group

Additional References