Bugtraq mailing list archives
Re: "Strip Script Tags" in FW-1 can be circumvented
From: jkowall () CINTERACTIVE COM (Jonah Kowall)
Date: Wed, 2 Feb 2000 10:08:37 -0500
Okay I have gotten 100x of these messages... all I have to say was that there are 1000 possibilities for malforming html tags in some sense, and what you consider valid html must also be explored. This isn't an issue in Firewall 1 4.0 SP5. It apparently has been fixed sometime between the 4.5 year old version he was using, and the current release. -----Original Message----- From: ark () eltex ru [mailto:ark () eltex ru] Sent: Wednesday, February 02, 2000 5:56 AM To: jkowall () CINTERACTIVE COM Cc: BUGTRAQ () SECURITYFOCUS COM Subject: Re: "Strip Script Tags" in FW-1 can be circumvented -----BEGIN PGP SIGNED MESSAGE----- nuqneH, One of most important reasons to use firewall is to avoid client bugs from being abused. It _is_ definitely a bug in FW-1. Jonah Kowall <jkowall () CINTERACTIVE COM> said :
I don't consider this a bug in FW-1, but a bug in the products navigator, and internet explorer. These tags shouldn't be parsed, because they are malformed. The firewall is stripping tags properly, but since these tags are malformed you can't expect the firewall to be able to recognize them as valid tags. -----Original Message----- From: Arne Vidstrom [mailto:arne.vidstrom () NTSECURITY NU] Sent: Saturday, January 29, 2000 8:52 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: "Strip Script Tags" in FW-1 can be circumvented Hi all, The "Strip Script Tags" in FW-1 can be circumvented by adding an extra < before the <SCRIPT> tag like in this code: <HTML> <HEAD> <<SCRIPT LANGUAGE="JavaScript"> alert("hello world") </SCRIPT> </HEAD> <BODY> test </BODY> </HTML> This code will pass unchanged, and still execute in both Navigator and Explorer. I tried this on version 3.0 of FW-1 (on Windows NT 4.0) but I'm not able to check it on version 4.0 since I don't have access to it. /Arne Vidstrom http://ntsecurity.nu
_ _ _ _ _ _ _
{::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_
(##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_|
[||] [||] [||] Do i believe in Bible? Hell,man,i've seen one!
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQCVAwUBOJgNSKH/mIJW9LeBAQFs4gP+PPq2cUhySREF0VETw6UnK3GXCJ5e3qdO
zlS2mB5w0cF+5DNNbwriWZ1MMyFN4/6Q/xMFC/ooa2+Il/BDoZCzhp1qL4Cw7Xq9
kutraZD/7+77E4u2gFirG/mmGfzsxALtNLtajTacmnAQ1evrMzeD4dGN6pdiYVRx
zrvp+hHwVSA=
=uv2x
-----END PGP SIGNATURE-----
Current thread:
- Re: "Strip Script Tags" in FW-1 can be circumvented Jonah Kowall (Jan 31)
- Re: "Strip Script Tags" in FW-1 can be circumvented sporty o'one (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented James Lin (Feb 01)
- Administrivia Elias Levy (Feb 03)
- <Possible follow-ups>
- Re: "Strip Script Tags" in FW-1 can be circumvented Bjørnar B. Larsen (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Bret Piatt (Feb 02)
- Re: "Strip Script Tags" in FW-1 can be circumvented Miles Sabin (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Losinski, Robert (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Arne Vidstrom (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Jonah Kowall (Feb 02)