Bugtraq mailing list archives
Re: "Strip Script Tags" in FW-1 can be circumvented
From: james () JEDITECH COM (James Lin)
Date: Tue, 1 Feb 2000 11:55:02 -0800
On Mon, 31 Jan 2000, Jonah Kowall wrote:
I don't consider this a bug in FW-1, but a bug in the products navigator, and internet explorer. These tags shouldn't be parsed, because
Perhaps a bug or feature - they are adhering to the principle of "flexible in what you accept." Browsers have always given a lot of leeway to poorly written HTML and scripts, and authors expect them to behave that way (whether that is good or bad is another debate) The firewall should be just as flexible in order to recognize all errors. In this case I expect firewall to either strip the SCRIPT tag, or deny access to this document because it contains illegal HTML - just as it would if the user tried to access a malformed URL. Keep in mind exploits often take advantage of bugs or deficiences in protocols, and isn't that what a firewall is supposed to protect against?:=) -James
-----Original Message----- From: Arne Vidstrom [mailto:arne.vidstrom () NTSECURITY NU] Sent: Saturday, January 29, 2000 8:52 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: "Strip Script Tags" in FW-1 can be circumvented Hi all, The "Strip Script Tags" in FW-1 can be circumvented by adding an extra < before the <SCRIPT> tag like in this code: <HTML> <HEAD> <<SCRIPT LANGUAGE="JavaScript"> alert("hello world") </SCRIPT> </HEAD> <BODY> test </BODY> </HTML> This code will pass unchanged, and still execute in both Navigator and Explorer. I tried this on version 3.0 of FW-1 (on Windows NT 4.0) but I'm not able to check it on version 4.0 since I don't have access to it. /Arne Vidstrom http://ntsecurity.nu
Current thread:
- Re: "Strip Script Tags" in FW-1 can be circumvented Jonah Kowall (Jan 31)
- Re: "Strip Script Tags" in FW-1 can be circumvented sporty o'one (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented James Lin (Feb 01)
- Administrivia Elias Levy (Feb 03)
- <Possible follow-ups>
- Re: "Strip Script Tags" in FW-1 can be circumvented Bjørnar B. Larsen (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Bret Piatt (Feb 02)
- Re: "Strip Script Tags" in FW-1 can be circumvented Miles Sabin (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Losinski, Robert (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Arne Vidstrom (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Jonah Kowall (Feb 02)