HTTP: Javascript Replace Function Unicode Obfuscation
This signature detects the use of the Javascript Replace function as a method of creating obfuscated Web-pages to avoid content inspection/filtering systems. Such scripts are commonly used by malware to avoid IPS detection, but can also be used by ad-ware for similar reasons.
Extended Description
Insecure method vulnerability in the ChilkatCrypt2.ChilkatCrypt2.1 ActiveX control (ChilkatCrypt2.dll 4.3.2.1) in Chilkat Crypt ActiveX Component allows remote attackers to create and overwrite arbitrary files via the WriteFile method. NOTE: this could be leveraged for code execution by creating executable files in Startup folders or by accessing files using hcp:// URLs. NOTE: some of these details are obtained from third party information.
Affected Products
Chilkat_software chilkat_crypt_activex_control
Short Name
HTTP:STC:SCRIPT:REPLACE-OBSF
Severity
Minor
Recommended
False
Recommended Action
None
Category
HTTP
Keywords
CVE-2008-5002 Function Javascript Obfuscation Replace Unicode
Release Date
05/03/2010
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3375
False Positive
Rarely
Vendors
Chilkat_software
CVSS Score
9.3