Re: "Strip Script Tags" in FW-1 can be circumvented

[Robert_Losinski () DPSK12 ORG (Losinski, Robert)]

As a former SGML Analyst with years of experience dealing with bad markup, I
disagree. The firewall should always strip the <SCRIPT> tags and all text
parsed in between.  Web Browsers are designed to be as flexible and loose as
possible to compensate for all the "hand coded" webpages around. That is why
they ignore the unclosed "<" before the <SCRIPT> tag.

FW-1 on the other hand is designed around strict security concerns by
enforcing rigid rule sets. It should always parse out and remove <SCRIPT>
tags when that rule is activated regardless of surrounding text. Obviously
their parser is not capable of ignoring an unclosed "<" when it encounters
the <SCRIPT> tag.

-----Original Message-----
From: Jonah Kowall [mailto:jkowall () CINTERACTIVE COM]
Sent: Monday, January 31, 2000 12:28 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: "Strip Script Tags" in FW-1 can be circumvented

        I don't consider this a bug in FW-1, but a bug in the products
navigator, and internet explorer.  These tags shouldn't be parsed, because
they are malformed.  The firewall is stripping tags properly, but since
these tags are malformed you can't expect the firewall to be able to
recognize them as valid tags.

-----Original Message-----
From: Arne Vidstrom [mailto:arne.vidstrom () NTSECURITY NU]
Sent: Saturday, January 29, 2000 8:52 AM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: "Strip Script Tags" in FW-1 can be circumvented

Hi all,

The "Strip Script Tags" in FW-1 can be circumvented by adding an extra <
before the <SCRIPT> tag like in this code:

<HTML>
<HEAD>
<<SCRIPT LANGUAGE="JavaScript">
alert("hello world")
</SCRIPT>
</HEAD>
<BODY>
test
</BODY>
</HTML>

This code will pass unchanged, and still execute in both Navigator and
Explorer. I tried this on version 3.0 of FW-1 (on Windows NT 4.0) but I'm
not able to check it on version 4.0 since I don't have access to it.

/Arne Vidstrom

http://ntsecurity.nu