Bugtraq mailing list archives
Re: "Strip Script Tags" in FW-1 can be circumvented
From: dknight () CSUCHICO EDU (Bret Piatt)
Date: Wed, 2 Feb 2000 08:44:52 -0800
Arne Vidstrøm wrote:
The "Strip Script Tags" in FW-1 can be circumvented by adding an extra < before the <SCRIPT> tag
(.......)
I'm not able to check it on version 4.0 since I don't have access to it.
I've tried this on FW-1 version 4.0 SP4, on NT4 and it strips the code as it's supposed to do. That is, <<SCRIPT LANGUAGE="JavaScript"> is altered into <<SCRIP! LANGUAGE="JavaScript"> which the browsers will disregard. It's a bit silly that the alert("hello world") isn't cut away, though, so "< alert("hello world") test" is what your page looks like in web-browsers. I recall Georgi posting something about doing other malformed tags to cause problems with hotmail.com's javascript filtering. Does FW-1 block if you <SCRIPT L\0x41NGUAGE="JavaScript"> or all other such bastardizations thereof? I did some quick testing to make sure that IE 5.0 still accepted the tag <script L\0x41NGUAGE="JavaScript"> but I don't have access to a FW-1 wall to check its filtering. If a firewall software is going to "filter" all or desired scripting languages from web pages it can't be the position of the firewall vendor that the web browsers are processing malformed tags and they can't be expected to check for all of them. It'd be like your alarm company saying "Well that burglar cut the exposed wires we left! How can we stop that?". The firewall developers should be working with browser vendors (or put together their own testing team if the browser vendors aren't willing) to find every way that undesired code can be executed not just the "proper" way.
Current thread:
- Re: "Strip Script Tags" in FW-1 can be circumvented Jonah Kowall (Jan 31)
- Re: "Strip Script Tags" in FW-1 can be circumvented sporty o'one (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented James Lin (Feb 01)
- Administrivia Elias Levy (Feb 03)
- <Possible follow-ups>
- Re: "Strip Script Tags" in FW-1 can be circumvented Bjørnar B. Larsen (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Bret Piatt (Feb 02)
- Re: "Strip Script Tags" in FW-1 can be circumvented Miles Sabin (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Losinski, Robert (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Arne Vidstrom (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Jonah Kowall (Feb 02)