Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-18052

Gif image with ICC code

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 1.9.3
    • 1.9.5
    • Themes
    • None
    • MySQL
    • MOODLE_19_STABLE
    • MOODLE_19_STABLE
    • Moderate

    Description

      I have Snort running and it has thown alerts on web traffic from my moodle server.
      Here is a copy of the alert:
      [**] [1:2002122:5] ET EXPLOIT Potential MS05-036 exploit - GIF with embedded ICC - Excessive Profile Size [**]
      [Classification: Misc Attack] [Priority: 2]
      01/26-13:34:56.685711 xxx.xxx.xxx.xxx:62327 -> xxx.xxx.xxx.xxx:59978
      TCP TTL:64 TOS:0x8 ID:11866 IpLen:20 DgmLen:1500
      **A*** Seq: 0xD435DA03 Ack: 0xC043B17F Win: 0xFFFF TcpLen: 20
      [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1219][Xref => http://www.microsoft.com/technet/security/Bulletin/MS05-036.mspx]

      Upon further investigation two gif files in the moodle directory come up with the code ICCRGBG1012
      that this snort rule is alerting on. I am not sure if a false alert, or if the Gif files have something wrong with them.

      grep -R ICCRGBG1012 *
      Binary file pix/f/dmg.gif matches
      Binary file theme/chameleon/pix/f/dmg.gif matches

      Attachments

        Activity

          People

            timhunt Tim Hunt
            mperri Mike
            Sam Hemelryk Sam Hemelryk
            Huong Nguyen, Bas Brands, Mathew May
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              13/May/09