Bugtraq mailing list archives
Re: "Strip Script Tags" in FW-1 can be circumvented
From: msabin () CROMWELLMEDIA CO UK (Miles Sabin)
Date: Tue, 1 Feb 2000 18:06:37 -0000
Jonah Kowall wrote,
I don't consider this a bug in FW-1, but a bug in the products navigator, and internet explorer. These tags shouldn't be parsed, because they are malformed. The firewall is stripping tags properly, but since these tags are malformed you can't expect the firewall to be able to recognize them as valid tags.
I disagree ... Strictly speaking the _tags_ aren't malformed. The the loose '<' preceeding the tag renders the document as a whole non- well formed, which, according to the HTML REC, means that all bets are off and user agents are allowed to interpret the doc as they please. Most browsers will make an effort to try and make sense of HTML crud like this rather than rejecting it completely. That's reasonable given how much junk there is out there which passes for HTML. The upshot is that any firewall product which attempts to interpret the stuff which passes through it has to be sensitive to the way that the end recipent is likely to behave. If it can't cope with the way browsers quite legitimately handle stuff that's strictly speaking broken, then it simply isn't up to snuff and should be fixed; or it should only pass stuff which is valid (which means it'd have to validate on the fly); or it shouldn't claim to be a 100% reliable filter. Cheers, Miles -- Miles Sabin Cromwell Media Internet Systems Architect 5/6 Glenthorne Mews +44 (0)20 8817 4030 London, W6 0LJ, England msabin () cromwellmedia com http://www.cromwellmedia.com/
Current thread:
- Re: "Strip Script Tags" in FW-1 can be circumvented Jonah Kowall (Jan 31)
- Re: "Strip Script Tags" in FW-1 can be circumvented sporty o'one (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented James Lin (Feb 01)
- Administrivia Elias Levy (Feb 03)
- <Possible follow-ups>
- Re: "Strip Script Tags" in FW-1 can be circumvented Bjørnar B. Larsen (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Bret Piatt (Feb 02)
- Re: "Strip Script Tags" in FW-1 can be circumvented Miles Sabin (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Losinski, Robert (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Arne Vidstrom (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Jonah Kowall (Feb 02)